Re: AD accounts not being unlocked when "lockout duration" setting

From: PSmith2112 (PSmith2112_at_discussions.microsoft.com)
Date: 10/25/04

  • Next message: Laura E. Hunter \(MVP\): "Re: Restriction of log-in" 
    Date: Mon, 25 Oct 2004 08:03:02 -0700

    I had actually run it from my workstation. This is a Win2K domain running in
    native mode and I get the same result from the PDC FSMO, which looks good:

    C:\Temp>net accounts
    Force user logoff how long after time expires?: Never
    Minimum password age (days): 0
    Maximum password age (days): 90
    Minimum password length: 6
    Length of password history maintained: None
    Lockout threshold: 4
    Lockout duration (minutes): 15
    Lockout observation window (minutes): 5
    Computer role: PRIMARY
    The command completed successfully.

    GPOTool looks good as well (output is lengthy so I'll spare you that). DS
    version, Sysvol version and Functionality version all match and gpotool
    reports "Policies OK".

    But still user accounts don't unlock unless we manually unlock
    them...frustrating. And rare I guess since I haven't had much luck finding
    any info on it or others who have had the same or similar problem...

    Thanks for the help though,
    Paul

    "Steven L Umbach" wrote:

    > Did you run this on a Windows 2000 domain controller or a NT4.0 domain
    > controller? The reason I ask is that the computer role shows as "backup"
    > which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
    > controller that is not the PDC fsmo. You might also want to run net accounts
    > on the pdc fsmo and run the support tool gpotool to see if policy is
    > replicating correctly. When you run gpotool, you should see all your domain
    > controllers listed with versions of both AD and sysvol policy. It will
    > report any problems such as mismatches. --- Steve
    >
    >
    > "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    > news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
    > > Yes, it all looks good:
    > >
    > > C:\>net accounts /domain
    > > The request will be processed at a domain controller for domain
    > > <domainName>.
    > >
    > > Force user logoff how long after time expires?: Never
    > > Minimum password age (days): 0
    > > Maximum password age (days): 90
    > > Minimum password length: 6
    > > Length of password history maintained: None
    > > Lockout threshold: 4
    > > Lockout duration (minutes): 15
    > > Lockout observation window (minutes): 5
    > > Computer role: BACKUP
    > > The command completed successfully.
    > >
    > >
    > > It's the strangest thing, but appreciate any help or suggestions anyone
    > > has.
    > >
    > > Thanks,
    > > Paul
    > >
    > >
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> Don't know offhand. When you run the " net accounts " command on the
    > >> domain
    > >> controller does it show 15 minutes for the lockout duration? --- Steve
    > >>
    > >>
    > >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    > >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    > >> > Our default domain account lockout policy is set like this:
    > >> >
    > >> > Lockout Threshold - 4 attempts
    > >> > Lockout Duration - 15 minutes
    > >> > Reset Counter After - 5 minutes
    > >> >
    > >> > User accounts are being locked out correctly when the threshold is met,
    > >> > but
    > >> > they are NOT being unlocked when the lockout duration period is
    > >> > reached.
    > >> > Once locked out, user accounts are staying locked out until they are
    > >> > manually
    > >> > unlocked.
    > >> >
    > >> > Nothing obvious in the event logs. Any ideas?
    > >> >
    > >> > Thanks,
    > >> > Paul
    > >>
    > >>
    > >>
    >
    >
    >

  • Next message: Laura E. Hunter \(MVP\): "Re: Restriction of log-in"
    • Quantcast