locked
Possible security conflict setting

    Question

  • Hey guys need to understand a setting or two in a GPO we have. We have a pretty paranoid security department here. They have a GPO at the domain level (Win2k3) that I think has some conflicting settings.

     

    under computer configuration/security settings/account policies/account lockout there are 3 settings. Account lockout duration, account threshold and account lockout counter. Ok here is I believe is the problem: Account lockout duration 0 minutes, invalid lockout attempts 3, reset account lockout counter 30 minutes.

     

    According to the built-in help the reset account lockout counter should be EQUAL TO or LESS THAN the account lockout duration. You can set the account lockout duration to 0 which requires and admin to unlock the account, but yet the counter reset setting wants to default to 30 minutes, you can set it to 1 minute, but not 0. Equal to the setting for account lockout duration.

     

    We have users that will put their pw in wrong 3 times, lock their account out, call our help desk, unlock the account. Go back to working and within 30 minutes type their pw in wrong and get locked out again. People are starting to get very frustrated looking to me to fix this problem.

     

    Here's my question. Can the reset account lockout counter be turned off some other way and the account lockout duration left on and set to 0 minutes so that an admin has to unlock the account? If I try to unset the counter then it sets everything back to not defined which security will have a fit. Or am I way off? Anyone have any ideas/solutions?

     

    Thanks guys!!

     

    Mike

     

    Friday, July 27, 2007 10:00 PM

Answers

  • Hi

    What you are seeing is by design and there is a really great whitepaper written to describe the different settings, the risks and recommended settings. I know it is a bad thing to do in reply to just link to a whitepaper but I read through it again now and it can really help you find a good setting and give you ammo when you talk to security as well.

     

    There are best practices on the related GP settings but also recommendations on how to handle cached credentials when users passwords have been changed, user logs on and an application with old credentials locks the account again...

    Link to whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

     

    there is also a download called Account Lockout Management tools that extends AD and helps troubleshooting issues. http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

     

    Brjann

     

    Saturday, August 11, 2007 2:48 PM
  • Have a look at the local security policy, if your computer is not member of a domain. If you use it at home it's probably not.

    This thread is off topic for this forum so the thread will be locked. If you need more help on this subject, please post your question in the Windows XP newsgroup: http://www.microsoft.com/windowsxp/expertzone/newsgroups.mspx
    Friday, September 07, 2007 2:39 PM
    Moderator

All replies

  • Hi

    What you are seeing is by design and there is a really great whitepaper written to describe the different settings, the risks and recommended settings. I know it is a bad thing to do in reply to just link to a whitepaper but I read through it again now and it can really help you find a good setting and give you ammo when you talk to security as well.

     

    There are best practices on the related GP settings but also recommendations on how to handle cached credentials when users passwords have been changed, user logs on and an application with old credentials locks the account again...

    Link to whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

     

    there is also a download called Account Lockout Management tools that extends AD and helps troubleshooting issues. http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

     

    Brjann

     

    Saturday, August 11, 2007 2:48 PM
  • this is what happened to me after i locked myself out of my home pc because i could not remember my password to enter windows, there was no way to get in and it cost a lot of money to have an engineer come out. Even microsoft couldnt help on the phone because i was the administrator and it was at my command. Any way i just wondered if you could help me here.

    Have you any idea what these error messages mean please? Error#: -935 Error#: 94001 Null Input Paramater Unexpected D4 Field.  (2 weeks ago an engineer did a full system restore because i had locked myself out of my pc). All seemed well, except i cannot turn my pc on/off/restart (i have to unplug it). this worries me incase i lose things. it keeps going into hibination mode even tho i uncheck that box. i am just worried something is wrong.

     thanks so much if u can help. suz

    Sunday, August 12, 2007 5:04 PM
  • Hi Suzhannah

    I suggest you post this to a Windows XP forum instead of this Windows Server 2008 forum.

    http://www.microsoft.com/technet/community/newsgroups/default.mspx

     

    Sad to read about your password and that Microsoft support could not help out.

    There are three articles on our supportweb that explains things around passwords in Windows XP, start here and then at the bottom of the article you have a link to the next one:

    http://support.microsoft.com/kb/894900/

     

    But if you don't have a password reset disk you would need to start the machine from a CD/DVD or other media to run third party tools to actually reset the password. These tools are not supported by Microsoft; do Search for "reset password" from your favorite search engine (live.com:-)). Or go to the Windows XP newsgroup from the first link above and search for "reset password".

     

    Brjann

     

    Sunday, August 12, 2007 5:32 PM
  • Thanks for the response Brjann. I will take a look at the whitepapers you linked. Hopefully it will answer my question, find a better solution, and give me the ammo I need to go up to our security dept. Like I said people are really starting to get frustrated at this issue. Thanks again, I will let you know what I find out!

     

    Thanks,

     

    Mike

     

    Monday, August 13, 2007 1:15 PM
  •  suzhannah wrote:
    this is what happened to me after i locked myself out of my home pc because i could not remember my password to enter windows, there was no way to get in and it cost a lot of money to have an engineer come out. Even microsoft couldnt help on the phone because i was the administrator and it was at my command. Any way i just wondered if you could help me here.

    Have you any idea what these error messages mean please? Error#: -935 Error#: 94001 Null Input Paramater Unexpected D4 Field.  (2 weeks ago an engineer did a full system restore because i had locked myself out of my pc). All seemed well, except i cannot turn my pc on/off/restart (i have to unplug it). this worries me incase i lose things. it keeps going into hibination mode even tho i uncheck that box. i am just worried something is wrong.

     thanks so much if u can help. suz

     

     

    Did you ever get this resolved?  Did the "engineer" give you back full admin rights?

     

     

    Monday, August 20, 2007 8:47 PM
  • Hi

    This question was redirected to other forum

     

    here is a link to the post from suzhannah

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1995635&SiteID=17

     

    Brjann

     

    Monday, August 20, 2007 8:57 PM
  • Hi Bizd.

    Thanks for asking.

     

    I tried so many forums and got redirected all over the place, xp directed me to hardware forum, they said not us, directed me to software forum, they said not us go to tech net, so vicious circle.

    still, my 15 year old son managed to sort out the stop/start/reset/ problem. Engineer was to call back, but no sign of him since i paid him!

    re errors,

    he has obviously done something deep in my security settings, because there are a million websites i cannot access anymore from my explorer, it reads 'restricted zone' for just about everything. i have changed all security settings i can find to allow me to read whatever, but this wont work. all web sites have normal content, ie. history sites, essay sites, air lines, even dry cleaners and telephone directory sites, nothing bad, just normal, but, whatever this guy did it wasnt worth the money he charged and i am still left with the same problem and no answer to the errors i reported.

     

    Am totally at a loss what to do now.

     

    thanks anyway

    suz

    Tuesday, August 21, 2007 8:48 AM
  • Have a look at the local security policy, if your computer is not member of a domain. If you use it at home it's probably not.

    This thread is off topic for this forum so the thread will be locked. If you need more help on this subject, please post your question in the Windows XP newsgroup: http://www.microsoft.com/windowsxp/expertzone/newsgroups.mspx
    Friday, September 07, 2007 2:39 PM
    Moderator