none
account threshold lockout is immediate

    Question

  • Windows Server 2008 r2

    i just implemented the account lockout threshold in GPO and after a few minutes, a couple of users called with the error "The referenced account is currently locked out and may not be logged on to".

    how does this lockout work if i only implemented it now? does it take into consideration the history of failed logons before the threshold was implemented? or the user actually did have that much failed logins in a short time?

    Tuesday, March 24, 2015 8:55 AM

Answers

  • Windows Server 2008 r2

    i just implemented the account lockout threshold in GPO and after a few minutes, a couple of users called with the error "The referenced account is currently locked out and may not be logged on to".

    how does this lockout work if i only implemented it now? does it take into consideration the history of failed logons before the threshold was implemented? or the user actually did have that much failed logins in a short time?

    that's more of a DS question, rather than a GP question (since it's DS which is judging the logon attempts), so might be better to ask in the DS forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS

    But I'd expect that "the user (or some other computer/phone/device where the user account logon was attempted) is the cause".

    Check your DC event logs. Maybe these users have multiple computers/devices in use, and it's been like that for some time, but they never noticed. That's fairly common, if you have users who aren't very good at logging off when they use multiple computers or RD sessions.

    (stale)Cached/stored passwords, scripts or batch jobs, automations/robots - these are all common causes for lockouts, particularly when you are only just introducing new account/password policies. (a lot of untidy practices are revealed ;)

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx 


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Tuesday, March 24, 2015 9:07 AM
    • Marked as answer by Reno Mardo Tuesday, March 24, 2015 12:53 PM
    Tuesday, March 24, 2015 9:05 AM

All replies

  • Windows Server 2008 r2

    i just implemented the account lockout threshold in GPO and after a few minutes, a couple of users called with the error "The referenced account is currently locked out and may not be logged on to".

    how does this lockout work if i only implemented it now? does it take into consideration the history of failed logons before the threshold was implemented? or the user actually did have that much failed logins in a short time?

    that's more of a DS question, rather than a GP question (since it's DS which is judging the logon attempts), so might be better to ask in the DS forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS

    But I'd expect that "the user (or some other computer/phone/device where the user account logon was attempted) is the cause".

    Check your DC event logs. Maybe these users have multiple computers/devices in use, and it's been like that for some time, but they never noticed. That's fairly common, if you have users who aren't very good at logging off when they use multiple computers or RD sessions.

    (stale)Cached/stored passwords, scripts or batch jobs, automations/robots - these are all common causes for lockouts, particularly when you are only just introducing new account/password policies. (a lot of untidy practices are revealed ;)

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx 


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Tuesday, March 24, 2015 9:07 AM
    • Marked as answer by Reno Mardo Tuesday, March 24, 2015 12:53 PM
    Tuesday, March 24, 2015 9:05 AM
  • Windows Server 2008 r2

    i just implemented the account lockout threshold in GPO and after a few minutes, a couple of users called with the error "The referenced account is currently locked out and may not be logged on to".

    how does this lockout work if i only implemented it now? does it take into consideration the history of failed logons before the threshold was implemented? or the user actually did have that much failed logins in a short time?

    Tuesday, March 24, 2015 9:26 AM
  • Usually this is related to the fact that some of the user devices or applications are trying to authenticate using an old password. Paul has a great article to troubleshoot account lockouts: https://dirteam.com/paul/2012/04/23/user-account-lockout-troubleshooting/

    Third party tools also help in auditing such events. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, March 24, 2015 9:51 AM
  • i checked and a particular account keeps getting locked. what event should i look for in DC event log for this (if any)?
    Tuesday, March 24, 2015 12:54 PM
  • It is described here how you can collect these events using EventCombMT: https://support.microsoft.com/en-us/kb/824209

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, March 24, 2015 1:32 PM
  • i used the Default Domain Policy for this. maybe i should've used an OU for implementing this?
    Tuesday, March 24, 2015 2:14 PM
  • i checked and a particular account keeps getting locked. what event should i look for in DC event log for this (if any)?

    I also have documented it here:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, March 24, 2015 6:22 PM
  • i used the Default Domain Policy for this. maybe i should've used an OU for implementing this?

    DDP is ok, or, you could create a new GPO and link it to the domain root.

    You can link a password policy to an OU, but it won't do what you want. (so, don't do it ;)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, March 24, 2015 8:11 PM
  • Account lockout policy should be configured cautiously. You cna get some idea looking in to below url, what all can affect your situation.

    http://ravingroo.com/295/active-directory-account-lockout-policy-threshold-counter-strong-password/

    Regards,

    Biju Kurup

    Wednesday, March 25, 2015 7:42 AM
  • thanks for the link.

    i tried the powershell script but it just returns empty. tried on my workstation (where i usually run powershell) and also from the PDC.

    Wednesday, March 25, 2015 7:43 AM