locked
Account Lockout Policy RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Problems with the Default Domain Policy - Account Lockout Policy

    Active Directory 2008 R2 (domain/forest functional level 2008 R2)
    No Fine Grained Password Policies in AD.

    We have a 'Default Domain Policy' with the following settings
    - Account lockout duration: Not defined
    - Account lockout treshold: Not defined
    - Reset account lockout counter after: Not defined

    If I logon to a test PC (Win 7) joined to the domain and check the 'Local Security Policy' the following values are shown.
    - Account lockout duration: Not Applicable
    - Account lockout treshold: 0 invalid logon attempts
    - Reset account lockout counter after: Not Applicable

    If I then lock the PC and enter bad password I will be locked out after 5 tries.

    How come that there is a lockout hitting the user after 5 bad password even though there is nothing specified in the Default Domain Policy - Account Lockout Policy?

    And the account seems to be unlocked automatically after around 15 minutes.
    Checked in 'Account Lockout Status' (Not Locked - Auto Unlocked)

    Any help appreciated

    Friday, September 27, 2013 1:35 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    I suggest we could try to collect the following information to narrow down the cause of the issue.

    GPMC.log

    ==================

    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.

    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic

        computer and user account (please place appropriately).

       (Choose computer and select the proper user in the wizard)

    c. Right click  the resulting group policy result and click the "Save Report…" => save report

        to save the report to a HTML file.

     Once we get the report, please check if the settings have been applied to the target correctly.

    For details about troubleshooting account lockout issue, please refer to the articles below.

    Troubleshooting Account Lockout

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10) 

    Maintaining and Monitoring Account Lockout

    http://technet.microsoft.com/en-us/library/cc776964.aspx

    User Account Lockout Troubleshooting

    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx

    In addition, as Marcin suggested, we could also try to restore security settings to a known

    working state to see if the issue could be resolved. 

    Hope this helps

    Best regards

    Michael

    • Proposed as answer by Michael_LS Tuesday, October 8, 2013 1:38 AM
    • Edited by Michael_LS Wednesday, October 9, 2013 3:32 AM
    • Marked as answer by Michael_LS Wednesday, October 9, 2013 3:35 AM
    Monday, September 30, 2013 3:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This is the relevant section.

    Are you seeing the same behavior on other computers?

    If so, I'd suggest setting lockout settings in your DDP to the desired values to verify that they actually take effect.

    If this is the only client that exhibits this behavior, try http://support.microsoft.com/kb/313222

    hth
    Marcin

    • Proposed as answer by Michael_LS Tuesday, October 8, 2013 1:38 AM
    • Marked as answer by Michael_LS Wednesday, October 9, 2013 3:35 AM
    Friday, September 27, 2013 2:28 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Do you have any other GPO linked to the domain with these settings defined (it would need to have higher priority than DDP)?

    Post the output of gpresult /scope computer /z

    hth
    Marcin

    Friday, September 27, 2013 1:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I dont think there is... below is the Account policies section.
    If it would be needed, could I send you the output to you? Its 1693 lines

    Searching the entire output from the 'gpresult /scope computer /z' for 'lockout' gives nothing.
    Searching for 'Account' doesnt show anything related to 'Lockout'

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  90

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  12

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  7

            Audit Policy
            ------------

    Friday, September 27, 2013 2:20 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This is the relevant section.

    Are you seeing the same behavior on other computers?

    If so, I'd suggest setting lockout settings in your DDP to the desired values to verify that they actually take effect.

    If this is the only client that exhibits this behavior, try http://support.microsoft.com/kb/313222

    hth
    Marcin

    • Proposed as answer by Michael_LS Tuesday, October 8, 2013 1:38 AM
    • Marked as answer by Michael_LS Wednesday, October 9, 2013 3:35 AM
    Friday, September 27, 2013 2:28 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    I suggest we could try to collect the following information to narrow down the cause of the issue.

    GPMC.log

    ==================

    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.

    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic

        computer and user account (please place appropriately).

       (Choose computer and select the proper user in the wizard)

    c. Right click  the resulting group policy result and click the "Save Report…" => save report

        to save the report to a HTML file.

     Once we get the report, please check if the settings have been applied to the target correctly.

    For details about troubleshooting account lockout issue, please refer to the articles below.

    Troubleshooting Account Lockout

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10) 

    Maintaining and Monitoring Account Lockout

    http://technet.microsoft.com/en-us/library/cc776964.aspx

    User Account Lockout Troubleshooting

    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx

    In addition, as Marcin suggested, we could also try to restore security settings to a known

    working state to see if the issue could be resolved. 

    Hope this helps

    Best regards

    Michael

    • Proposed as answer by Michael_LS Tuesday, October 8, 2013 1:38 AM
    • Edited by Michael_LS Wednesday, October 9, 2013 3:32 AM
    • Marked as answer by Michael_LS Wednesday, October 9, 2013 3:35 AM
    Monday, September 30, 2013 3:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Some late response

    I configured the DDP and the settings showed up on the clients!
    Thanks for the help.

    After some social investigation it seems like it has been a Lockout policy specified but later removed on this Active Directory.

    So my conclusion is that if you have a Lockout policy and then unchecking it... It will still be active even if you dont see the values on the clients.

    Wednesday, October 30, 2013 8:21 PM