Account Lockout 3

[ovs8]

Hi there,

We're are on W2K Domain. Users (W2K and WXP copmuters) keep locking out after entering wrong password 3 times even though Domain's Account Lockout policy is not defined.

Any suggestions?

Thank you,
Oleg

 

[jhaith]

Have you run gpresult on the clients and checked all policies to make sure it is not defined in Group Policy either in either Active Directory or on the client?

-jhaith

 

[ovs8]

Hmm. In the header it says that GP was applied from our DC this morning, but in the Applied Group Policy Objects it says N/A.

 

[jhaith]

Could you run 'gpresult > c:\temp\gpresult.txt' and copy over to the forum?

-jhaith

 

[ovs8]

Here you go. Thanks a lot.


COMPUTER SETTINGS
------------------
CN=DPR-83,CN=Computers,DC=north1,DC=local
Last time Group Policy was applied: 12/10/2007 at 12:48:28 PM
Group Policy was applied from: 2xeons.north1.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
DPR-83$
Domain Computers


USER SETTINGS
--------------
CN=Oleg Slivnyak,CN=Users,DC=north1,DC=local
Last time Group Policy was applied: 12/10/2007 at 11:23:30 AM
Group Policy was applied from: 2xeons.north1.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
wtsusers

 

[jhaith]

Here's an article that may be useful.

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

-jhaith

 

[wcburton]

If a domain policy was created to define a lockout policy and then deleted, the changes made by that policy could still be in effect. When removing a policy, I believe you need to disable the policy and let the effect of that replicate before you go back and delete it. There are some policies where even that would not work and I believe this is one of them.

What you will probably need to do if you truly do not want a lockout applied is to create a policy that says no lockout as opposed to having it "not defined".

Also, when looking for the policy effect in the registry, you will want to look at the registry on the domain controllers. It does not matter what any PC's local policy is because the PC is not in charge of enforcing that policy. The DC enforces the password policies. [If there is a password policy on the local PC it would apply to local accounts - not domain accounts]

 

[kmcferrin]

Am I correct in thinking that you have deleted the Default Domain Policy? I didn't think that was possible, but it is highly unadvisable to say the least.

 

[ovs8]

I'm not sure what happened - but I think that wcburton is right. I did the same - I created a brand new policy defining a different number in the lockout policy (10 attemtps - which is OK by me) and it started working. It still says N/A in the gpresult - USER SETTINGS-Applied Group Policy Objects. But I guess it does not matter.

PS. I also have a suspicion that I've been editing the Domain Controller GP not the Domain GP - thus the lockout problems.

Thanks everyone.