Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Account Lock Policy

Status
Not open for further replies.
k3lvin

k3lvin

Technical User
Jan 13, 2008
143
GB
I have been asked to create a Account Lockout Group Policy, so I have with the following poicy settings:

Account lockout duration - 30 mins
Accountl ockout threshold - 5 invalid logon attempts
Reset account lockout counter after 30 minutes

I have set this in our Default Domain Policy (I only use this GPO for this policy and password policy) and have not enforced it so that it won't effect our servers, DC's, admin OU's that are set to block inheritance (all our servers and administrative accounts) The problem is, since I have created this policy our "admin" account (domain\admin) which is used a fair amount on our servers and occasuanly gets locked out. So there must be a pc out there that has something like a service using our admin account with an old password? If I run rsop.msc on a server in our Servers OU the account lock out policy is not applied. Is there a way of viewing what or how this account is getting locked out?
 
Sort by date Sort by votes
Enable auditing for failed logons you will then be able to see an entry in the event log under security. Look at the event it might give you the workstation but it should give you the IP address and you can track it back from there. I would also avoid making changes to the default domain policy and instead make a separate policy.
 
Upvote 0 Downvote
Also...

"Account lockout duration - 30 mins
Accountn lockout threshold - 5 invalid logon attempts Reset account lockout counter after 30 minutes"

I would rethink the duration and reset lockout duration, both good to set, primarily against a dictionary attack but 5 minutes on both would suffice.

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
I installed Account Lockout and Management Tools, ran eventcombMT.exe, added my DC's, ticked all boxes except the bottom one (Get All Events With…)

Searched with the following Event IDs: 529 644 675 676 681 12294

Log files should go into C:\temp\

Look at the DCnamehere-Security_LOG.txt file(s) and look for entries with “Account Locked Out:” this will tell what computer is trying is causing the account to lock out.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
708
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
480
DrB0b
DrB0b
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
135
strongm
strongm
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
244
rrmcguire
rrmcguire
Kiwica
  • Locked
  • Question
Locked out domain account
Replies
4
Views
130
Kiwica
Kiwica

Part and Inventory Search

Sponsor

Back
Top