none
Account Lockout Policy is still being enforced

    Question

  • Hi,

    I have a windows server 2003 domain and recently configured an account lockout policy in the default domain policy. One week later, my boss told me to disable it because it sometimes gives headache to end users. I disabled it and issued a 'gpupdate /force' command. I noticed some accounts are still being locked out and i had to unlock it. Now, it gives me (the IT Admin) a headache. It looks like a bug.

    Any idea about how to sort this out?

    Thanks

    Sunday, July 26, 2015 2:54 PM

Answers

  • How long has it been since you made the change and removed that bit from the default policy?

    While not necessarily helpful in this instance, for future it's always recommended to never make changes to the default domain policy itself, since if you make a mistake you can't easily delete it without causing issues. Always create new policies for the specific things you're trying to do, and ideally when making changes update the GPO name with some kind of version number. That way if you no longer need something you can simply remove the entire GPO rather than having to edit it, and by having a version number you can easily see via gpresult whether a machine has picked up the latest version or not.

    Sunday, July 26, 2015 4:56 PM
  • I assume you disabled account lockout policy unboxing the checkbox (set it to undefined state). I guess it will not work for users where policy have been already applied. Just set "Account lockout threshold" to zero and your accounts will never be locked.

    https://technet.microsoft.com/en-us/library/hh994574(v=ws.10).aspx

    You can set a value from 1 through 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0.

    Sunday, July 26, 2015 5:04 PM
  • Hi Technologist35,

    Additional, you can make the specific computer to apply the group policy immediately, the GPUpdate utility has a number of switches. By default, GPUpdate updates both computer and user portions of Group Policy. But, I can control that by using the /target parameter. For example, if I only want to update the computer portion of the policy, I use the /target:computer. To update the user portion, it is /target:user. The following command shows this technique.

    PS C:\> gpupdate /target:computer

    More information:

    Force a Domain-Wide Update of Group Policy with PowerShell

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/11/12/force-a-domain-wide-update-of-group-policy-with-powershell.aspx

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 29, 2015 7:59 AM
    Moderator

All replies

  • How long has it been since you made the change and removed that bit from the default policy?

    While not necessarily helpful in this instance, for future it's always recommended to never make changes to the default domain policy itself, since if you make a mistake you can't easily delete it without causing issues. Always create new policies for the specific things you're trying to do, and ideally when making changes update the GPO name with some kind of version number. That way if you no longer need something you can simply remove the entire GPO rather than having to edit it, and by having a version number you can easily see via gpresult whether a machine has picked up the latest version or not.

    Sunday, July 26, 2015 4:56 PM
  • I assume you disabled account lockout policy unboxing the checkbox (set it to undefined state). I guess it will not work for users where policy have been already applied. Just set "Account lockout threshold" to zero and your accounts will never be locked.

    https://technet.microsoft.com/en-us/library/hh994574(v=ws.10).aspx

    You can set a value from 1 through 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0.

    Sunday, July 26, 2015 5:04 PM
  • Hi Technologist35,

    Additional, you can make the specific computer to apply the group policy immediately, the GPUpdate utility has a number of switches. By default, GPUpdate updates both computer and user portions of Group Policy. But, I can control that by using the /target parameter. For example, if I only want to update the computer portion of the policy, I use the /target:computer. To update the user portion, it is /target:user. The following command shows this technique.

    PS C:\> gpupdate /target:computer

    More information:

    Force a Domain-Wide Update of Group Policy with PowerShell

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/11/12/force-a-domain-wide-update-of-group-policy-with-powershell.aspx

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 29, 2015 7:59 AM
    Moderator
  • Thx for the best practice advice. However, changing GPO settings to not defined is the same as you removed the entire GPO. I wonder how a blank GPO (without settings defined) could impact clients.

    Tuesday, August 25, 2015 11:53 AM
  • Thx again. I've tried that one and still policy is being enforced.
    Tuesday, August 25, 2015 11:55 AM
  • Thx but this information wasn't of much help to me since i have 15 years of IT experience. :-)
    Tuesday, August 25, 2015 11:56 AM