Re: Strong passwords and user locking?

You are right, not a lot to test on this side. However I did sort of want
to play around with scripting to give my managers a real easy way to reset
passwords and unlock users. That's the kind of testing I had in mind.

Thanks,
Linn

"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:uUGDQfJeIHA.5400@xxxxxxxxxxxxxxxxxxxxxxx
There's not a lot to test. The user's password will not be affected until
it expires, or you set it to be changed at next logon, so you can
introduce it that way and change it back if you don't like it.
Anthony,
http://www.airdesk.co.uk



"Linn Kubler" <lkubler@xxxxxxxxxxxxxxxxxx> wrote in message
news:e%23XfYUJeIHA.5996@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the help Anthony. But man, that means it's all or nothing, I
can't even test this before forcing it on everyone? I don't like that a
bit.

Thanks,
Linn

"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:OqjNu4EeIHA.5552@xxxxxxxxxxxxxxxxxxxxxxx
You need to set the account policy in the root of the domain.
There's a good article about it here:
http://technet2.microsoft.com/windowsserver/en/library/cda0eee3-a52e-4c1b-a9d7-0c70f122ada91033.mspx?mfr=true
and here:
http://technet2.microsoft.com/windowsserver/en/library/b04678d1-510f-48d3-8d10-dce2e61972d71033.mspx?mfr=true
Hope that helps,
Anthony
http://www.airdesk.co.uk


"Linn Kubler" <lkubler@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23EbkLlAeIHA.5548@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I've been asked to force our users to use strong passwords with user
lockouts after a number of wrong attempts. So I started small and
setup a new OU and created a test user in it. I then created a goup
policy, associated it to my new OU and set the Account Lockout
Threshold to 3, which in turn set the duration and Reset Account
Lockout Counter After to 30 minutes. The policy is linked to my OU and
I'm filtering on Domain Users.

Now when I look at the settings of my group policy it doesn't show my
lockout settings and when I login as the test user it doesn't show this
policy in GPResults I've done a GPUPDATE but that didn't help. So
what am I missing? I suspect it's something obvious but I'm stumped
once again.

Thanks in advance,
Linn









.

Relevant Pages

  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... To find the default domain policy settings, ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
  • RE: 529 Logon Failures - 138 Events
    ... I am using complex passwords....I have not configured the lockout feature. ... Can I configure a lockout policy for the server itself? ... If I lock the server will I be able to unlock it to do maintenance? ... Configure account lockout policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strong passwords and user locking?
    ... expires, or you set it to be changed at next logon, so you can introduce it ... which in turn set the duration and Reset Account Lockout Counter After ... The policy is linked to my OU and I'm filtering on ... lockout settings and when I login as the test user it doesn't show this ...
    (microsoft.public.windows.server.security)
  • Re: Strong passwords and user locking?
    ... Thanks for the help Anthony. ... which in turn set the duration and Reset Account Lockout Counter After to ... The policy is linked to my OU and I'm filtering on Domain ... lockout settings and when I login as the test user it doesn't show this ...
    (microsoft.public.windows.server.security)
  • Re: Service Accounts & Account Lock out Policy
    ... Also I would say that 5 bads is extremely low and will likely be counterproductive and cause you more issues than it is worth. ... If you set the policy as low as 25 with a five minute lockout reset this should be more than adequate to prevent brute force attacks and not completely piss off your users when they fat finger. ... I don't want to this policy to apply to the Service accounts used by the applications as it will lock-out the service account and will stop it. ...
    (microsoft.public.security)