Account lockout threshold problem

All replies

• 

  

  0

  Sign in to vote

  Please take a look at this. 

  Reset account lockout counter after

  If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.
  

  ---

  If it answered your question, remember to “Mark as Answer”.
  
  If you found this post helpful, please “Vote as Helpful”.
  
  Postings are provided “AS IS” with no warranties, and confers no rights.
  
  

  • Active Directory: Ultimate Reading Collection

  • Proposed as answer by Kelly Bush Friday, December 27, 2013 3:42 PM

  Thursday, December 19, 2013 5:29 PM
• 

  

  0

  Sign in to vote

  Dear Kelly, thanks for your responce

  But unfortunately this did not helped me, and as i configured lockout duration to 0 beacause of only administrator could unlock PC then according to your reply, "

  If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.

  ---

  "

  but as i put 0 in reset time which is equal to lockout duration, then GPO doesn't allow me to do that. any other idea please....

  ---

  Zeeshan Ibrahim Network Administrator

  Friday, December 20, 2013 11:05 AM
• 

  

  0

  Sign in to vote

  if the user is successfully putting in their username and password in straight after the second log on attempt it is possible there account hasn't yet been locked, or the change hasn't replicated to all DC's - so the user might be able to log in.

  however once the DC's show the account as being locked their account would stop being able to access network based resources - or they would be prompted for a password.

  ---

  Regards,

  Denis Cooper

  MCITP EA - MCT

  Help keep the forums tidy, if this has helped please mark it as an answer

  My Blog

  LinkedIn:

  Friday, December 20, 2013 11:19 AM
• 

  

  0

  Sign in to vote

  Dear Denis

  Yes, all users in DCs are able to log in after 2 wrong attempts but unable to use network resources which means user has been locked and it happens only once. when a user logged off then GPO does not allow him/her to log back in.

  i just also want to refuse login attempt when user put actual password after 2 wrong attempts.

  ---

  Zeeshan Ibrahim Network Administrator

  Friday, December 20, 2013 11:30 AM
• 

  

  0

  Sign in to vote

  it sounds like you DC isn't locking the account quick enough, as a test, put the wrong password in twice on a client computer - then wait 5 minutes, and then try again with right password and see if it lets you log in

  ---

  Regards,

  Denis Cooper

  MCITP EA - MCT

  Help keep the forums tidy, if this has helped please mark it as an answer

  My Blog

  LinkedIn:

  Friday, December 20, 2013 11:43 AM
• 

  

  0

  Sign in to vote

  Dear Denis

  i tried that by waiting 10 minutes but no luck. i have Windows XP Sp2/Sp3 on client side. can it be a compatibility issue of these clients with Server 2008 r2 Domain controllers? 

  ---

  Zeeshan Ibrahim Network Administrator

  Friday, December 20, 2013 11:49 AM
• 

  

  0

  Sign in to vote

  Dear Denis

  i tried that by waiting 10 minutes but no luck. i have Windows XP Sp2/Sp3 on client side. can it be a compatibility issue of these clients with Server 2008 r2 Domain controllers? 

  ---

  Zeeshan Ibrahim Network Administrator

  Friday, December 20, 2013 11:55 AM
• 

  

  0

  Sign in to vote

  If they lock out their account and they locked it out on DC3 then that will get sent to the PDCe and if they try and log in again and they logon using a DC that is not in the same site as DC3 or the PDCe then the replication of the lockout hasn't replicated. 

  After they log in to their computer, after 2 bad attempts, from the command prompt run "SET L" without the quotes to see which DC the user is logging into.  If they log into a DC that is not in the site where they locked their account out, or the site where the PDCe is then this could be your problem. 
  

  You can use the Account Lockout Tools from MS to search the DCs to see where the acccount is locked out.

  ---

  If it answered your question, remember to “Mark as Answer”.
  
  If you found this post helpful, please “Vote as Helpful”.
  
  Postings are provided “AS IS” with no warranties, and confers no rights.
  
  

  • Active Directory: Ultimate Reading Collection

  
  
  

  • Edited by Kelly Bush Wednesday, December 25, 2013 6:13 PM
  • Proposed as answer by Kelly Bush Friday, December 27, 2013 3:41 PM
  • Marked as answer by Lany ZhangMicrosoft employee Thursday, March 13, 2014 3:58 PM

  Friday, December 20, 2013 5:35 PM
• 

  

  0

  Sign in to vote

  Hi Zeeshan Ibrahim,

  If Account lockout threshold is set to a number greater than zero, this reset time must be less than or equal to the value of Account lockout duration. And as Kelly Bush’s said, each of the bad password attempts from logon DC will forward to PDC.

  We can enable below audit policies for each DC then gather audit event from PDC. According to the audit events on PDC determine which clients or DCs sent the failed authentication request.

  1. Edit” Default Domain Controllers Policy” and expand to Computer Configuration\Windows settings\security settings\local policies\audit policy.
  2. Enable below policies:
     • Audit Account Logon Events – Failure
     • Audit Account Management - Success and Failure
     • Audit Logon Events – Failure

  Regards,

  Lany Zhang

  • Marked as answer by Lany ZhangMicrosoft employee Thursday, March 13, 2014 3:58 PM

  Saturday, December 21, 2013 9:32 AM
• 

  

  0

  Sign in to vote

  Dear Lany

  logon failure logs i.e. Event ID 4771 is already being logged by PDC. but i will try your mentioned settings to make account threshold value less than or equal to lockout duration and will let u know the results.

  Thanks

  ---

  Zeeshan Ibrahim Network Administrator

  Monday, December 23, 2013 4:52 AM