Re: Account lockout duration=30 minutes, however account remains locked indefinitely.

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/18/04 

Date: Thu, 18 Nov 2004 22:40:55 GMT

Try running net accounts on the domain controllers to see what they report
as the account lockout setting. The domain is the place to configure such a
setting. If you have more than one GPO in the domain container, the GPO at
the top of the list takes precedence and can therefore override Domain
Security Policy. The other thing that can happen is that if password/account
policy is changed while block inheritance is enabled on the domain
controllers container, the new policy will not apply. I would also verify
proper replication of Group Policies using the support tool gpotool which
will tell the sysvol and AD version of all GPO's on the domain controllers
it finds and report mismatches. --- Steve

"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
> In Win2000SP4 root domain, Domain Security Policies I have
> Account lockout duration=30 minutes
> Account lockout threshold =15 invalid logon attempts
> Reset account lockout counter after=30 minutes
>
> However, when somebody gets locked out, it remains locked for several days
> and account gets unlocked upon manual intervention.
> I think that's the correct way anyway, otherwise somebody attempting to
> discover a password would just keep trying if accounts got unlocked after
> 30
> minutes.
>
> However, what I don't understand is why even if the settings above are
> enabled, accounts still remain locked after 30 minutes ? It seems settings
> above don't work or is it my interpretation that is incorrect ?
>
>

Relevant Pages

  • RE: 529 Logon Failures - 138 Events
    ... Enable complicated password policy is not same as using complicated ... Note: you can find the Default Domain Controllers policy here: ... Configure account lockout policy. ... The account lockout policy only effect on the user account, ...
    (microsoft.public.windows.server.sbs)
  • Re: Automatically user lockout - big problem
    ... Check the security logs of the domain controllers to ... By default logging of account ... Comb can be used to scan domain computers for that account lockout event. ...
    (microsoft.public.windows.server.security)
  • RE: Finding Domain Service Running Every 12 Hours
    ... we can enable the Audit Policy settings in the ... Default Domain policy on the domain level to record the account logon ... When the account lockout occurs, we can retrieve both the Security ... To determine the domain controllers that are involved with the lockout, ...
    (microsoft.public.windows.server.general)
  • Re: Ad2003 - locked-out accounts are not unlocking automatically
    ... What is the scope of the problem exactly? ... What do you see in the event logs of the domain controllers (seems like ... Account lockout threshold: 10 invalid logon attempts ... The only way to unlock that account is user the VBS script with this ...
    (microsoft.public.windows.server.active_directory)
  • Re: NT User A/C Lock
    ... credentials in network shares, XP stored credentials. ... controllers will show account lockout events and the domain computers will ... record a logon failure due to an account lockout. ... Event Comb to search your computers and domain controllers for specific ...
    (microsoft.public.security)