none
Account Lockout Policies

    Question

  • I recently came across a problem in our environment where the account lockout policy was not applying to Domain accounts. After reading up on the some of the questions posted here on TechNet I found that another administrator who had created the original account lockout gpo and linked it to an OU which apparently makes the policy apply in a way where it only affects local accounts.

    So I went back and unlinked the gpo and modified the account lockout policy in Default Domain Policy however I am still finding that it is not applying to domain accounts. Have I missed something? 

    Server 2008 R2 Enterprise

    Clients running Windows 7/Windows 8.1

    Account Lockout Specifies: 

    Duration 15 Minutes

    Threshold 5 Invalid attempts

    Reset Lockout Counter 15 Minutes

    Thanks!

    Wednesday, February 18, 2015 3:09 PM

Answers

  • Hi Will,

    >>So I went back and unlinked the gpo and modified the account lockout policy in Default Domain Policy however I am still finding that it is not applying to domain accounts.

    Based on the description, please make sure that the policy settings are not configured in another domain scope GPO which has higher precedence over default domain policy. Here, on a computer in question, please run command gpresult/h report.html with administrative privileges to collect group policy result to check which GPO wins this policy setting.  Besides, please check that Block Inheritance is not enabled on the OU where computer accounts reside.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 20, 2015 2:59 AM
    Moderator
  • is the DDP correctly linked to the Domain root level ?

    Are your Domain Controller computers correctly placed in the Domain Controllers OU ?

    Is the Default Domain Controllers Policy (DDCP) correctly linked to the DCs OU ?

    Is there any inheritance blocking going on in your OUs ?

    Check that the DDP and DDCP have the correct/default/builtin GUIDs (in case somebody has renamed or deleted/recreated those).

    (They won't work correctly is they've just been recreated by hand using the same names)

    Check the precedence (processing order) on an OU where a client computer account resides.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, February 22, 2015 9:31 AM
  • > blocked inheritance to the Domain Controllers OU could it be that
    > because the domain controllers do not get this setting they will not
    > lock out domain users on the client side?
     
    Yes. The PDC emulator is the only computer in the domain that will apply
    account policies linked to the domain. And if it doesn't receive domain
    policies, it cannot :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:37 PM

All replies

  • Hi Will,

    >>So I went back and unlinked the gpo and modified the account lockout policy in Default Domain Policy however I am still finding that it is not applying to domain accounts.

    Based on the description, please make sure that the policy settings are not configured in another domain scope GPO which has higher precedence over default domain policy. Here, on a computer in question, please run command gpresult/h report.html with administrative privileges to collect group policy result to check which GPO wins this policy setting.  Besides, please check that Block Inheritance is not enabled on the OU where computer accounts reside.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 20, 2015 2:59 AM
    Moderator
  • So I ran the gpresult /h and the results came back that the policy is applying from the default domain policy shown below.

    Computer Configuration

    Account Policies/Account Lockout Policy
    Policy Setting Winning GPO
    Account lockout duration 15 minutes Default Domain Policy
    Account lockout threshold 5 invalid logon attempts Default Domain Policy
    Reset account lockout counter after 15 minutes Default Domain Policy

    However when I test to see if it applied or not by attempting to lock out a domain account it will not lock the account out but it will lock the local account out.

    I looked through the entire report and cannot see anything that would supersede the default domain policy. 

    Any Ideas?

    Friday, February 20, 2015 5:09 PM
  • is the DDP correctly linked to the Domain root level ?

    Are your Domain Controller computers correctly placed in the Domain Controllers OU ?

    Is the Default Domain Controllers Policy (DDCP) correctly linked to the DCs OU ?

    Is there any inheritance blocking going on in your OUs ?

    Check that the DDP and DDCP have the correct/default/builtin GUIDs (in case somebody has renamed or deleted/recreated those).

    (They won't work correctly is they've just been recreated by hand using the same names)

    Check the precedence (processing order) on an OU where a client computer account resides.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, February 22, 2015 9:31 AM
  • In the domain we have a admin created OU for Users,Computers,Servers. We have the default created DDP linked at the site level and DDCP on the Domain Controllers OU,  we block inheritance to the Servers OU and the Default Domain Controllers OU. 

    I did find that the DDP has a precedence of 17 on that OU where the computer account is located. However I was thinking that it may have something to do with how one of the admins blocked inheritance to the Domain Controllers OU could it be that because the domain controllers do not get this setting they will not lock out domain users on the client side?

    Thanks,

    Monday, February 23, 2015 3:55 PM
  • > blocked inheritance to the Domain Controllers OU could it be that
    > because the domain controllers do not get this setting they will not
    > lock out domain users on the client side?
     
    Yes. The PDC emulator is the only computer in the domain that will apply
    account policies linked to the domain. And if it doesn't receive domain
    policies, it cannot :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:37 PM
  • Thank you all for your help! As soon as I clicked enforced on the DDP and ran gpupdate the account was locking out after 5 attempts.


    Monday, February 23, 2015 8:57 PM
  • > Thank you all for your help! As soon as I clicked enforced on the DDP
    > and ran gpupdate the account was locking out after 5 attempts.
     
    I strongly recommend to avoid "enforce" and "block inheritance". Both
    should not be required in a usual environment, even in a big one.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 24, 2015 10:01 AM