none
Account lockout policy

    Question

  • hello

    i configures account lockout policy in Default Domain Policy:

    
    Policy Setting
    Account lockout duration                   5 minutes
    Account lockout threshold   3 invalid logon attempts
    Reset account lockout counter after  5 minutes

    after gpupdate /force to more them 3 computers and restarts still the users didn't locked after many attempts.

    when i run rsop in the computers i see that the right parmeters show up

    and when i run gpresult i see that gp

    my domain is server 2008r2 sp1 

    my domain functional level is: Windows Server 2008 R2

    my forest functional level  is:Windows Server 2003

    my clients are win7 pro sp1

    what more can i do to resolve this problem ?

    thank 

    nir 

    Thursday, December 03, 2015 4:31 PM

All replies

  • Do you have a block on the Domain Controllers OU? Default Domain Policy Enforced or Not? 

    Make sure the Default Domain Policy applies to your Domain Controllers.


    • Edited by vaadadmin2010 Thursday, December 03, 2015 5:41 PM
    • Proposed as answer by vaadadmin2010 Thursday, December 03, 2015 8:02 PM
    Thursday, December 03, 2015 5:41 PM
  • yes i have a block inherent on my domain controller ou 

    why is it necessary that the default domain controller include the default domain policy ?

    Thursday, December 03, 2015 5:53 PM
  • yes i have a block inherent on my domain controller ou 

    why is it necessary that the default domain controller include the default domain policy ?

    Thursday, December 03, 2015 5:58 PM
  • The Password policies for 'domain users' are controlled by the DC's.  The password policies you see hitting the clients will affect local machine accounts.

    https://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx

    So you will need to decide if you want to remove the block on the OU or enforce the Default Domain Policy.

    Thursday, December 03, 2015 5:59 PM
  • can i just link the default domain policy to the domain controller ? 
    Thursday, December 03, 2015 6:07 PM
  • For Account Policies, they must be linked to the domain root according to the document. 

    Hopefully this shows why blocks are a bad idea unless absolutely necessary, they make management complex.  But some places have them for valid reasons.

    Maybe look into Fine Grain Password Policies.  Need certain prerequisites.

    https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Thursday, December 03, 2015 6:22 PM
  • i linked the default domain policy to the ou of the domain controller and the user account still don't locked out .

    i see in the event viewer in the security section dc that the user is typing a bad password 

    Thursday, December 03, 2015 8:12 PM
  • Hi niro_007,

    Thanks for your post.

    The account policy need to be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain.

    https://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx

    >i linked the default domain policy to the ou of the domain controller

    You linked to domain controller ou? If so, you may need to set under root domain not under  domain controller ou.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 04, 2015 9:09 AM
    Moderator
  • hi mary dong

    i defined the account  in the Default Domain Policy and the default domain  policy is link to the root domain. 

    because there are many other polices that link to the root domain i defined "block inherent to the domain controller ou but Additionally link the default domain policy to the ou of the domain controller.

    so the default domain policy is under the root domain and link also to the ou of the dc.

    still the users don't locked out after many bad password .


    Friday, December 04, 2015 3:34 PM