Account Locked Out...why?

[MagnumVP]

I have a Windows XP Pro machine and 2000 DC's. I have NOT configured Account Lockout Policies on either of the DC, but after three bad attempts to log in, the account is locked out.

The only thing that I have enabled is Password Complexity and 1 Remembered Password. I have run gpresult and found nothing about Lockout Policy.

Any thoughts on to why this could be happening?

 

[GlenJohnson]

This is from

http://www.microsoft.com/technet/tr...prodtechnol/winxppro/reskit/prdp_log_csiq.asp

Account Lockout Policy
Account lockout policy options disable accounts after a set number of failed logon attempts. Using these options can help you detect and block attempts to break passwords. To modify lockout policy settings, launch Local Security Policy or Group Policy and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

Is it possible the password complexity has caused the lockout? If you break the rules, something should happen. Just a theory. Good luck.



Glen A. Johnson
"Give the laziest man the hardest job and he'll find the easiest way to do it."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[mlichstein]

Open your default domain policy. Check the password policy settings. Are they "not defined" or are they blank?

 

[MagnumVP]

I opened the default Domain Policy and they are set to NOT DEFINED

 

[mlichstein]

Is the default domain policy the only policy linked to the domain level?

 

[Syty]

open gpedit.msc on the machien in question or connect remotely. You have many places a Group Policy can be defined.

Looking at the Domain policy only shows the domain policy obviously.

There are "Effective Settings" you want to pay attention to.

gpresult is good for many things, determining the policy in effect on a machine is not one of them

if you open remotely even from a custom mmc.exe, add computer management for another machine, then check the effective settings.

You can have Local, Domain, site, and / or OU policy in effect.

Check the machine, if the policy is set, then start at the OU properties as it overrides everything else, then go to the site policy, the domain you checked, then local.

If it's not defined in the effective policy, GPO is not doing it.

Look elsewhere. let us know your results of the above.....

Good Luck.

 

[mlichstein]

Password policies can only come from the local policy or the domain policy.

Password policies set at the OU or site levels will not apply.

 

[MagnumVP]

There are two policies that are assigned at the domain.

1) Defaulty Domain policy
Settings:
Logon Message Text
Logon Message Title

2) Logon Scripts
Settings:
logon.bat

There is currently a GPO assigned to all employees are their OU level to push out, 1) Shadow Copy Software & 2) A custom application that I created to help install applications on their local machines without having to know directly where they are on the network.

When I run the GPMC.msc, then I create a customer Group Policy Results with my user account and the local computer, under account lockout, everything is "Not Defined"

Below I have exported the Default Domain Policy Settings under;

Computer Configuration --> Windows Settings --> Password Policy
Enforce password history 1 passwords remembered
Maximum password age Not defined
Minimum password age Not defined
Minimum password length Not defined
Password must meet complexity requirements Enabled
Store password using reversible encryption for all users in the domain Not defined

Below I have exported and Pasted the Default Domain Policy Settings under;

Computer Configuration --> Windows Settings --> Account Lockout
Account lockout duration Not defined
Account lockout threshold Not defined
Reset account lockout counter after Not defined

 

[mlichstein]

First question: Which policy is first in the list at the domain level?

Second question: I know you used GPMC modeling to see what would apply, but did you check the account settings in the other policy?

 

[MagnumVP]

Woops... I mistyped.

The second one is the Local Policy of the local machine(workstaion) and the First one is located at the domain. Regardless, even if these were both at the domain level, there is no conflict. But for reference, the Default Domain Policy has priority (top of list).

I checked all GPO's Account settings and all are "Not Defined" except the the Default Domain Policy which has the previous post settings.

 

[mlichstein]

You said local policy of the workstation. What about the local policy of the domain controllers.

 

[MagnumVP]

I checked the Local Security Policy (LSP), Domain Security Policy (DSP) and Domain Controller Security Policy (DCSP) on all DC's. Below are results.

LSP
Account lockout duration Not defined
Account lockout threshold Not defined
Reset account lockout counter after Not defined

DCSP
Account lockout duration Not defined
Account lockout threshold Not defined
Reset account lockout counter after Not defined

DSP
Account lockout duration Not defined
Account lockout threshold Not defined
Reset account lockout counter after Not defined


This is really interesting to me but I can't figure out why it is doing this.