none
Problem with Group Policy - account lockout RRS feed

  • שאלה

  • Hello, i have a problem with Active Directory, i have 2 servers(windows 2016 and windows 2008) with active directory(replication) and few others servers. I have setup(in Group Policy Management) account lockout after 10 invalid logon attempts, and for testing, lockout duration 1 min. (my policy is forced and first piority)

    Now, if I enter the wrong password 3 times, AD blocks me, but does not unblock after a minute(im waiting few minutes).

    Where do i have to change something, to block after 10 mistakes, and unlock after a set time? 

    The LockoutStatus tool, say im locked after 3 bad pwd count.In resultant set of policy is old set-up with 5 invalid logon attempts, and 30min duration.(after 30 min still not unblocking me)



    • נערך על-ידי Piotr Akte יום חמישי 18 יולי 2019 11:36
    יום חמישי 18 יולי 2019 11:35

כל התגובות

  • Hi,

    please take a look at the screenshot i attached. unfortunately i only have a german-languaged System, but that should be not problem to solve this case.

    Go to (1): Account Lockout Threshold

    Enter value of time.

    Go to (2): Account Lockout Duration

    Enter a value of x-minutes

    יום חמישי 18 יולי 2019 13:52
  • my policy is forced and first piority

    And where is it linked and what's in its security filter? Account policies affecting Domain accounts MUST be linked at the domain itself, and the PDCe emulator MUST apply them. The PDCe is the only computer in the domain that applies account policies to domain accounts.

    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    יום חמישי 18 יולי 2019 14:28
  • I did it already, here i have 1 minute, 10 Times, 1 minute (i cant send screenshoot because im new here) 
    • סומן כתשובה על-ידי Piotr Akte יום שני 22 יולי 2019 07:41
    • סימון כתשובה בוטל על-ידי Piotr Akte יום שני 22 יולי 2019 07:41
    יום שישי 19 יולי 2019 14:55
  • Its linked under the domain. In security filters are domain users. The interesting thing is that it locks the user after 3 bad Password, it is set to 10, and in resultant set of Policy is 5
    יום שישי 19 יולי 2019 15:00
  • still not work

    יום שני 22 יולי 2019 07:44
  • יום שני 22 יולי 2019 07:45
  • Hi,
    1.>>Its linked under the domain. In security filters are domain users.

    Password policy is defined under Computer configuration, and applies to domain computers.

    2.>>The interesting thing is that it locks the user after 3 bad Password, it is set to 10, and in resultant set of Policy is 5.

    I will suggest you collect group policy result on PDC to find out which GPO was set account lockout threshold as 5.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    יום שני 22 יולי 2019 09:31
    מנחה דיון
  • Its linked under the domain. In security filters are domain users.
    Domain Users does NOT work. Domain Controllers are not members of Domain Users...

    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    יום שני 22 יולי 2019 10:31
  • my account policy is set well, and still blocking me after 3 times...

    and don't unblock



    • נערך על-ידי Piotr Akte יום שלישי 23 יולי 2019 08:15
    יום שלישי 23 יולי 2019 07:44
  • Hi,
    Sorry for the delayed reply.
    Does the issue still existed?
    If the issue resolved, it would appericate you could share your experience in our forum.
    If the issue still existed, my suggestion is contact local support resource for on-site troubleshooting.


    Have a nice day.

    Best Regards,
    William

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    יום שני 29 יולי 2019 09:55