WS2012R2 Domain Controller Security Compliance 1.0 RRS feed

  • Question

  • Hi, Im having some trouble with getting my Windows 2012R2 domain controllers compliant with the WS2012R2 Domain Controller Security Compliance 1.0 baseline.

    The part that isnt detected properly is the Account lockout threshold, my DC's do have this setting correctly on 10 through group policy, but the WMI query in the CI reports an empty value:

    WScript.Echo CheckRange("root\rsop\computer", "RSOP_SecuritySettingNumeric", "Setting", "KeyName='LockoutBadCount' And precedence=1", "10")

    When I check WMI there is indeed nothing there. On normal member servers there is however.

    Also, net accounts shows:

    C:\Temp>net accounts
    Force user logoff how long after time expires?:       Never
    Minimum password age (days):                          1
    Maximum password age (days):                          90
    Minimum password length:                              8
    Length of password history maintained:                24
    Lockout threshold:                                    10
    Lockout duration (minutes):                           15
    Lockout observation window (minutes):                 15
    Computer role:                                        BACKUP
    The command completed successfully.

    Anyone have any ideas?


    Friday, July 3, 2015 5:41 AM