none
workstation not getting locked

    Question

  • Windows Server 2008 R2

    i have in my GPO a setting for account lockout policy of 5 invalid/logon attempts. we tried it but it's not working, the AD account is not getting locked. now i saw in this link https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx

    that i should enable "Interactive logon: Require Domain Controller authentication to unlock workstation" but if i do that, it prevents our laptop users from using their cached credentials when they are off site.

    btw, i read that

    Note: Bad logon attempts to a workstation against a password-protected screen saver do not increase the lockout threshold. Similarly, if a server or workstation is locked using Ctrl+Alt+Delete, bad logon attempts against the Unlock dialog box do not count.

    from https://technet.microsoft.com/en-us/library/dd277400.aspx

    but this is exactly the scenario why we're implementing account lockouts. so what really should be the correct way?

    is there another way to lock invalid logon attempts without losing cached credentials?


    • Edited by Reno Mardo Tuesday, November 29, 2016 9:16 AM
    Tuesday, November 29, 2016 9:06 AM

All replies