Archived from groups: microsoft.public.win2000.security (
More info?)
Hmm. I can't think of much else. What I would try is to set the reset
counter time to the same as the lockout duration time which is what the
operating system would suggest when you change the setting. Anytime you
change domain password/lockout policy be sure that block inheritance is not
enabled on the domain controller container as that can prevent changes from
applying. In addition consider raising the lockout threshold to no less than
ten which is what Microsoft recommends. I see you already have minimum
password length of six which may also mean that you have password complexity
enabled. A setting of ten will still effectively deter brute force password
attacks with your password policy and reduce your lockouts. Note that one
failed logon attempt by a user can generate multiple number as far as the
operating system is concerned in some situations. ---- Steve
"PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
news:B6F3BBAA-2F9A-450C-84BA-5E3C50766671@microsoft.com...
>I had actually run it from my workstation. This is a Win2K domain running
>in
> native mode and I get the same result from the PDC FSMO, which looks good:
>
> C:\Temp>net accounts
> Force user logoff how long after time expires?: Never
> Minimum password age (days): 0
> Maximum password age (days): 90
> Minimum password length: 6
> Length of password history maintained: None
> Lockout threshold: 4
> Lockout duration (minutes): 15
> Lockout observation window (minutes): 5
> Computer role: PRIMARY
> The command completed successfully.
>
>
> GPOTool looks good as well (output is lengthy so I'll spare you that). DS
> version, Sysvol version and Functionality version all match and gpotool
> reports "Policies OK".
>
> But still user accounts don't unlock unless we manually unlock
> them...frustrating. And rare I guess since I haven't had much luck
> finding
> any info on it or others who have had the same or similar problem...
>
> Thanks for the help though,
> Paul
>
>
> "Steven L Umbach" wrote:
>
>> Did you run this on a Windows 2000 domain controller or a NT4.0 domain
>> controller? The reason I ask is that the computer role shows as "backup"
>> which I am not sure if that indicates a NT4.0 BDC or a Windows 2000
>> domain
>> controller that is not the PDC fsmo. You might also want to run net
>> accounts
>> on the pdc fsmo and run the support tool gpotool to see if policy is
>> replicating correctly. When you run gpotool, you should see all your
>> domain
>> controllers listed with versions of both AD and sysvol policy. It will
>> report any problems such as mismatches. --- Steve
>>
>>
>> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
>> news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
>> > Yes, it all looks good:
>> >
>> > C:\>net accounts /domain
>> > The request will be processed at a domain controller for domain
>> > <domainName>.
>> >
>> > Force user logoff how long after time expires?: Never
>> > Minimum password age (days): 0
>> > Maximum password age (days): 90
>> > Minimum password length: 6
>> > Length of password history maintained: None
>> > Lockout threshold: 4
>> > Lockout duration (minutes): 15
>> > Lockout observation window (minutes): 5
>> > Computer role: BACKUP
>> > The command completed successfully.
>> >
>> >
>> > It's the strangest thing, but appreciate any help or suggestions anyone
>> > has.
>> >
>> > Thanks,
>> > Paul
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Don't know offhand. When you run the " net accounts " command on the
>> >> domain
>> >> controller does it show 15 minutes for the lockout duration? ---
>> >> Steve
>> >>
>> >>
>> >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
>> >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
>> >> > Our default domain account lockout policy is set like this:
>> >> >
>> >> > Lockout Threshold - 4 attempts
>> >> > Lockout Duration - 15 minutes
>> >> > Reset Counter After - 5 minutes
>> >> >
>> >> > User accounts are being locked out correctly when the threshold is
>> >> > met,
>> >> > but
>> >> > they are NOT being unlocked when the lockout duration period is
>> >> > reached.
>> >> > Once locked out, user accounts are staying locked out until they are
>> >> > manually
>> >> > unlocked.
>> >> >
>> >> > Nothing obvious in the event logs. Any ideas?
>> >> >
>> >> > Thanks,
>> >> > Paul
>> >>
>> >>
>> >>
>>
>>
>>
Facebook
Twitter
Instagram