Sign in with
Sign up | Sign in
Your question

AD accounts not being unlocked when "lockout duration" set..

Last response: in Windows 2000/NT
Share
Anonymous
October 22, 2004 12:33:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Our default domain account lockout policy is set like this:

Lockout Threshold - 4 attempts
Lockout Duration - 15 minutes
Reset Counter After - 5 minutes

User accounts are being locked out correctly when the threshold is met, but
they are NOT being unlocked when the lockout duration period is reached.
Once locked out, user accounts are staying locked out until they are manually
unlocked.

Nothing obvious in the event logs. Any ideas?

Thanks,
Paul
Anonymous
October 22, 2004 8:28:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Don't know offhand. When you run the " net accounts " command on the domain
controller does it show 15 minutes for the lockout duration? --- Steve


"PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
> Our default domain account lockout policy is set like this:
>
> Lockout Threshold - 4 attempts
> Lockout Duration - 15 minutes
> Reset Counter After - 5 minutes
>
> User accounts are being locked out correctly when the threshold is met,
> but
> they are NOT being unlocked when the lockout duration period is reached.
> Once locked out, user accounts are staying locked out until they are
> manually
> unlocked.
>
> Nothing obvious in the event logs. Any ideas?
>
> Thanks,
> Paul
Anonymous
October 22, 2004 8:28:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes, it all looks good:

C:\>net accounts /domain
The request will be processed at a domain controller for domain <domainName>.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: None
Lockout threshold: 4
Lockout duration (minutes): 15
Lockout observation window (minutes): 5
Computer role: BACKUP
The command completed successfully.


It's the strangest thing, but appreciate any help or suggestions anyone has.

Thanks,
Paul



"Steven L Umbach" wrote:

> Don't know offhand. When you run the " net accounts " command on the domain
> controller does it show 15 minutes for the lockout duration? --- Steve
>
>
> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
> > Our default domain account lockout policy is set like this:
> >
> > Lockout Threshold - 4 attempts
> > Lockout Duration - 15 minutes
> > Reset Counter After - 5 minutes
> >
> > User accounts are being locked out correctly when the threshold is met,
> > but
> > they are NOT being unlocked when the lockout duration period is reached.
> > Once locked out, user accounts are staying locked out until they are
> > manually
> > unlocked.
> >
> > Nothing obvious in the event logs. Any ideas?
> >
> > Thanks,
> > Paul
>
>
>
Related resources
Anonymous
October 23, 2004 2:24:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Did you run this on a Windows 2000 domain controller or a NT4.0 domain
controller? The reason I ask is that the computer role shows as "backup"
which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
controller that is not the PDC fsmo. You might also want to run net accounts
on the pdc fsmo and run the support tool gpotool to see if policy is
replicating correctly. When you run gpotool, you should see all your domain
controllers listed with versions of both AD and sysvol policy. It will
report any problems such as mismatches. --- Steve


"PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
> Yes, it all looks good:
>
> C:\>net accounts /domain
> The request will be processed at a domain controller for domain
> <domainName>.
>
> Force user logoff how long after time expires?: Never
> Minimum password age (days): 0
> Maximum password age (days): 90
> Minimum password length: 6
> Length of password history maintained: None
> Lockout threshold: 4
> Lockout duration (minutes): 15
> Lockout observation window (minutes): 5
> Computer role: BACKUP
> The command completed successfully.
>
>
> It's the strangest thing, but appreciate any help or suggestions anyone
> has.
>
> Thanks,
> Paul
>
>
>
> "Steven L Umbach" wrote:
>
>> Don't know offhand. When you run the " net accounts " command on the
>> domain
>> controller does it show 15 minutes for the lockout duration? --- Steve
>>
>>
>> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
>> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
>> > Our default domain account lockout policy is set like this:
>> >
>> > Lockout Threshold - 4 attempts
>> > Lockout Duration - 15 minutes
>> > Reset Counter After - 5 minutes
>> >
>> > User accounts are being locked out correctly when the threshold is met,
>> > but
>> > they are NOT being unlocked when the lockout duration period is
>> > reached.
>> > Once locked out, user accounts are staying locked out until they are
>> > manually
>> > unlocked.
>> >
>> > Nothing obvious in the event logs. Any ideas?
>> >
>> > Thanks,
>> > Paul
>>
>>
>>
Anonymous
October 25, 2004 12:03:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I had actually run it from my workstation. This is a Win2K domain running in
native mode and I get the same result from the PDC FSMO, which looks good:

C:\Temp>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: None
Lockout threshold: 4
Lockout duration (minutes): 15
Lockout observation window (minutes): 5
Computer role: PRIMARY
The command completed successfully.


GPOTool looks good as well (output is lengthy so I'll spare you that). DS
version, Sysvol version and Functionality version all match and gpotool
reports "Policies OK".

But still user accounts don't unlock unless we manually unlock
them...frustrating. And rare I guess since I haven't had much luck finding
any info on it or others who have had the same or similar problem...

Thanks for the help though,
Paul


"Steven L Umbach" wrote:

> Did you run this on a Windows 2000 domain controller or a NT4.0 domain
> controller? The reason I ask is that the computer role shows as "backup"
> which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
> controller that is not the PDC fsmo. You might also want to run net accounts
> on the pdc fsmo and run the support tool gpotool to see if policy is
> replicating correctly. When you run gpotool, you should see all your domain
> controllers listed with versions of both AD and sysvol policy. It will
> report any problems such as mismatches. --- Steve
>
>
> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
> news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
> > Yes, it all looks good:
> >
> > C:\>net accounts /domain
> > The request will be processed at a domain controller for domain
> > <domainName>.
> >
> > Force user logoff how long after time expires?: Never
> > Minimum password age (days): 0
> > Maximum password age (days): 90
> > Minimum password length: 6
> > Length of password history maintained: None
> > Lockout threshold: 4
> > Lockout duration (minutes): 15
> > Lockout observation window (minutes): 5
> > Computer role: BACKUP
> > The command completed successfully.
> >
> >
> > It's the strangest thing, but appreciate any help or suggestions anyone
> > has.
> >
> > Thanks,
> > Paul
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> Don't know offhand. When you run the " net accounts " command on the
> >> domain
> >> controller does it show 15 minutes for the lockout duration? --- Steve
> >>
> >>
> >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
> >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
> >> > Our default domain account lockout policy is set like this:
> >> >
> >> > Lockout Threshold - 4 attempts
> >> > Lockout Duration - 15 minutes
> >> > Reset Counter After - 5 minutes
> >> >
> >> > User accounts are being locked out correctly when the threshold is met,
> >> > but
> >> > they are NOT being unlocked when the lockout duration period is
> >> > reached.
> >> > Once locked out, user accounts are staying locked out until they are
> >> > manually
> >> > unlocked.
> >> >
> >> > Nothing obvious in the event logs. Any ideas?
> >> >
> >> > Thanks,
> >> > Paul
> >>
> >>
> >>
>
>
>
Anonymous
October 26, 2004 12:21:18 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hmm. I can't think of much else. What I would try is to set the reset
counter time to the same as the lockout duration time which is what the
operating system would suggest when you change the setting. Anytime you
change domain password/lockout policy be sure that block inheritance is not
enabled on the domain controller container as that can prevent changes from
applying. In addition consider raising the lockout threshold to no less than
ten which is what Microsoft recommends. I see you already have minimum
password length of six which may also mean that you have password complexity
enabled. A setting of ten will still effectively deter brute force password
attacks with your password policy and reduce your lockouts. Note that one
failed logon attempt by a user can generate multiple number as far as the
operating system is concerned in some situations. ---- Steve


"PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
news:B6F3BBAA-2F9A-450C-84BA-5E3C50766671@microsoft.com...
>I had actually run it from my workstation. This is a Win2K domain running
>in
> native mode and I get the same result from the PDC FSMO, which looks good:
>
> C:\Temp>net accounts
> Force user logoff how long after time expires?: Never
> Minimum password age (days): 0
> Maximum password age (days): 90
> Minimum password length: 6
> Length of password history maintained: None
> Lockout threshold: 4
> Lockout duration (minutes): 15
> Lockout observation window (minutes): 5
> Computer role: PRIMARY
> The command completed successfully.
>
>
> GPOTool looks good as well (output is lengthy so I'll spare you that). DS
> version, Sysvol version and Functionality version all match and gpotool
> reports "Policies OK".
>
> But still user accounts don't unlock unless we manually unlock
> them...frustrating. And rare I guess since I haven't had much luck
> finding
> any info on it or others who have had the same or similar problem...
>
> Thanks for the help though,
> Paul
>
>
> "Steven L Umbach" wrote:
>
>> Did you run this on a Windows 2000 domain controller or a NT4.0 domain
>> controller? The reason I ask is that the computer role shows as "backup"
>> which I am not sure if that indicates a NT4.0 BDC or a Windows 2000
>> domain
>> controller that is not the PDC fsmo. You might also want to run net
>> accounts
>> on the pdc fsmo and run the support tool gpotool to see if policy is
>> replicating correctly. When you run gpotool, you should see all your
>> domain
>> controllers listed with versions of both AD and sysvol policy. It will
>> report any problems such as mismatches. --- Steve
>>
>>
>> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
>> news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
>> > Yes, it all looks good:
>> >
>> > C:\>net accounts /domain
>> > The request will be processed at a domain controller for domain
>> > <domainName>.
>> >
>> > Force user logoff how long after time expires?: Never
>> > Minimum password age (days): 0
>> > Maximum password age (days): 90
>> > Minimum password length: 6
>> > Length of password history maintained: None
>> > Lockout threshold: 4
>> > Lockout duration (minutes): 15
>> > Lockout observation window (minutes): 5
>> > Computer role: BACKUP
>> > The command completed successfully.
>> >
>> >
>> > It's the strangest thing, but appreciate any help or suggestions anyone
>> > has.
>> >
>> > Thanks,
>> > Paul
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Don't know offhand. When you run the " net accounts " command on the
>> >> domain
>> >> controller does it show 15 minutes for the lockout duration? ---
>> >> Steve
>> >>
>> >>
>> >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
>> >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
>> >> > Our default domain account lockout policy is set like this:
>> >> >
>> >> > Lockout Threshold - 4 attempts
>> >> > Lockout Duration - 15 minutes
>> >> > Reset Counter After - 5 minutes
>> >> >
>> >> > User accounts are being locked out correctly when the threshold is
>> >> > met,
>> >> > but
>> >> > they are NOT being unlocked when the lockout duration period is
>> >> > reached.
>> >> > Once locked out, user accounts are staying locked out until they are
>> >> > manually
>> >> > unlocked.
>> >> >
>> >> > Nothing obvious in the event logs. Any ideas?
>> >> >
>> >> > Thanks,
>> >> > Paul
>> >>
>> >>
>> >>
>>
>>
>>
!