none
Account Lockout threshold policy

    Question

  • We have DC on windows server2008; we created account lockout policy as follow:

     

    - Account lockout duration

    999 minutes

     

    - Account lockout threshold

     7 invalid login attempts

            - Reset account lockout counter after 999 minutes

    but for one only failed attempts the account lockedout ! due to this we facing soo many problems.

    please help?



    Kind Regards, Reda Kotb IT Technical Support Direct: +966 2 6572029 Ext: 808 reda.kotb@ibscoksa.com
    Monday, August 22, 2011 6:34 AM

Answers

All replies

  • Hello,

    do you mean that when the user perform only a logon failure his account gets locked?

    If yes then:

    • Check that the lockout policy is linked at the domain level. Use rsop.msc for checking the applied settings on the client computers
    • There is no PSO objects linked to this user / one of his groups. More here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
    • Check that you don't have replication problems using DCdiag.exe

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator 

    Monday, August 22, 2011 6:46 AM
  • Hi,

    The password policies and security policies always set at domain level. Settings regarding password or account lockout only work at the domain level.

    Password policies set at OU level will affect only the local accounts created on the computer in the specific OU.

    If you want multiple password policy you can achieve it through fine grained password policies.

    You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.

    For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

    Windows Server 2008 - Fine Grained Password Policy Walkthrough

    http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

     

    AD DS: Fine-Grained Password Policies

    http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx

     

    More info on how to modify password settings:

    Apply or modify password policy

    http://technet.microsoft.com/en-us/library/cc781633%28WS.10%29.aspx

    Passwords must meet complexity requirements

    http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx

    Password Policy

    http://technet.microsoft.com/en-us/library/cc783512%28WS.10%29.aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Monday, August 22, 2011 8:19 AM
  • Hi,

     

    I would like to confirm what related event error was encountered?

     

    Sometime, some service accounts with the old password will cause the issue.

     

    Based on the current situation, you may refer to the following Microsoft articles for how to troubleshoot this issue:

     

    Maintaining and Monitoring Account Lockout

    http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx

     

    Auditing failed logon events and account lockouts

    http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

     

    Troubleshooting account lockout the PSS way

    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

     

    Account Lockout Tools

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

     

    Regards,

     

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
     tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, August 23, 2011 5:00 AM
    Moderator
  • Hi,

    Common causes of account lockout policies are

    • Scheduled tasks
    • Persistent drive mappings
    • Service accounts
    • Stored user names and passwords retain redundant credentials

     

    Use ALtools to troubleshoot the account lockouts.


    Account Lockout and Management Tools

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465


    Troubleshooting Account Lockouts the PSS way

    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 5:26 AM
  • Hi,

    Run RSOP.MSc on one of the client PC and check which account lockout policy it is taking. Check the default Domain Policy if any password policy is applied there. Also check other policies applied at Domain level for any account lockout policy.

    Tuesday, August 23, 2011 6:28 AM
  • Hi,

    Use al ALTOOL to see from which dc the accounts are getting logged.

    Then use eventcombmt tool to search account lockout specfic events in that dc. analyze the logs you will find the reason for lockout.

    Account Lockout and Management Tools

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    How to use the EventCombMT utility to search event logs for account lockouts

    http://support.microsoft.com/kb/824209


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Tanmoy Manik Tuesday, August 23, 2011 6:32 AM
    • Unproposed as answer by Tanmoy Manik Tuesday, August 23, 2011 6:32 AM
    Tuesday, August 23, 2011 6:32 AM
  • Hi,

    Do you have an enforced Domain Policy? Run "gpresult" on a client and see if the policy applies. Post the output.

    Hope it helps.


    MCTS...
    Tuesday, August 23, 2011 9:48 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 30, 2011 6:44 AM
    Moderator
  • Account locked out Troubleshooting

          Try to find the DC name where that account is locked OUT. You can use  

             LockoutStatus.exe (Microsoft free tool)

    Then use eventcombMT.exe for searching account locked out events. That is a built in search in eventcombMT.exe

    Download the tool

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    For additional help see the below link

    http://blogs.technet.com/b/askds/archive/tags/account+lockout/

    http://www.windowstricks.in/2009/07/account-lockout.html


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Tuesday, August 30, 2011 10:55 AM