AD accounts not being unlocked when "lockout duration" set..

Archived from groups: microsoft.public.win2000.security (More info?)

Our default domain account lockout policy is set like this:

Lockout Threshold - 4 attempts
Lockout Duration - 15 minutes
Reset Counter After - 5 minutes

User accounts are being locked out correctly when the threshold is met, but
they are NOT being unlocked when the lockout duration period is reached.
Once locked out, user accounts are staying locked out until they are manually
unlocked.

Nothing obvious in the event logs. Any ideas?

Thanks,
Paul
5 answers Last reply
More about accounts unlocked lockout duration
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Don't know offhand. When you run the " net accounts " command on the domain
    controller does it show 15 minutes for the lockout duration? --- Steve


    "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    > Our default domain account lockout policy is set like this:
    >
    > Lockout Threshold - 4 attempts
    > Lockout Duration - 15 minutes
    > Reset Counter After - 5 minutes
    >
    > User accounts are being locked out correctly when the threshold is met,
    > but
    > they are NOT being unlocked when the lockout duration period is reached.
    > Once locked out, user accounts are staying locked out until they are
    > manually
    > unlocked.
    >
    > Nothing obvious in the event logs. Any ideas?
    >
    > Thanks,
    > Paul
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes, it all looks good:

    C:\>net accounts /domain
    The request will be processed at a domain controller for domain <domainName>.

    Force user logoff how long after time expires?: Never
    Minimum password age (days): 0
    Maximum password age (days): 90
    Minimum password length: 6
    Length of password history maintained: None
    Lockout threshold: 4
    Lockout duration (minutes): 15
    Lockout observation window (minutes): 5
    Computer role: BACKUP
    The command completed successfully.


    It's the strangest thing, but appreciate any help or suggestions anyone has.

    Thanks,
    Paul


    "Steven L Umbach" wrote:

    > Don't know offhand. When you run the " net accounts " command on the domain
    > controller does it show 15 minutes for the lockout duration? --- Steve
    >
    >
    > "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    > news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    > > Our default domain account lockout policy is set like this:
    > >
    > > Lockout Threshold - 4 attempts
    > > Lockout Duration - 15 minutes
    > > Reset Counter After - 5 minutes
    > >
    > > User accounts are being locked out correctly when the threshold is met,
    > > but
    > > they are NOT being unlocked when the lockout duration period is reached.
    > > Once locked out, user accounts are staying locked out until they are
    > > manually
    > > unlocked.
    > >
    > > Nothing obvious in the event logs. Any ideas?
    > >
    > > Thanks,
    > > Paul
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Did you run this on a Windows 2000 domain controller or a NT4.0 domain
    controller? The reason I ask is that the computer role shows as "backup"
    which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
    controller that is not the PDC fsmo. You might also want to run net accounts
    on the pdc fsmo and run the support tool gpotool to see if policy is
    replicating correctly. When you run gpotool, you should see all your domain
    controllers listed with versions of both AD and sysvol policy. It will
    report any problems such as mismatches. --- Steve


    "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
    > Yes, it all looks good:
    >
    > C:\>net accounts /domain
    > The request will be processed at a domain controller for domain
    > <domainName>.
    >
    > Force user logoff how long after time expires?: Never
    > Minimum password age (days): 0
    > Maximum password age (days): 90
    > Minimum password length: 6
    > Length of password history maintained: None
    > Lockout threshold: 4
    > Lockout duration (minutes): 15
    > Lockout observation window (minutes): 5
    > Computer role: BACKUP
    > The command completed successfully.
    >
    >
    > It's the strangest thing, but appreciate any help or suggestions anyone
    > has.
    >
    > Thanks,
    > Paul
    >
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> Don't know offhand. When you run the " net accounts " command on the
    >> domain
    >> controller does it show 15 minutes for the lockout duration? --- Steve
    >>
    >>
    >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    >> > Our default domain account lockout policy is set like this:
    >> >
    >> > Lockout Threshold - 4 attempts
    >> > Lockout Duration - 15 minutes
    >> > Reset Counter After - 5 minutes
    >> >
    >> > User accounts are being locked out correctly when the threshold is met,
    >> > but
    >> > they are NOT being unlocked when the lockout duration period is
    >> > reached.
    >> > Once locked out, user accounts are staying locked out until they are
    >> > manually
    >> > unlocked.
    >> >
    >> > Nothing obvious in the event logs. Any ideas?
    >> >
    >> > Thanks,
    >> > Paul
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I had actually run it from my workstation. This is a Win2K domain running in
    native mode and I get the same result from the PDC FSMO, which looks good:

    C:\Temp>net accounts
    Force user logoff how long after time expires?: Never
    Minimum password age (days): 0
    Maximum password age (days): 90
    Minimum password length: 6
    Length of password history maintained: None
    Lockout threshold: 4
    Lockout duration (minutes): 15
    Lockout observation window (minutes): 5
    Computer role: PRIMARY
    The command completed successfully.


    GPOTool looks good as well (output is lengthy so I'll spare you that). DS
    version, Sysvol version and Functionality version all match and gpotool
    reports "Policies OK".

    But still user accounts don't unlock unless we manually unlock
    them...frustrating. And rare I guess since I haven't had much luck finding
    any info on it or others who have had the same or similar problem...

    Thanks for the help though,
    Paul


    "Steven L Umbach" wrote:

    > Did you run this on a Windows 2000 domain controller or a NT4.0 domain
    > controller? The reason I ask is that the computer role shows as "backup"
    > which I am not sure if that indicates a NT4.0 BDC or a Windows 2000 domain
    > controller that is not the PDC fsmo. You might also want to run net accounts
    > on the pdc fsmo and run the support tool gpotool to see if policy is
    > replicating correctly. When you run gpotool, you should see all your domain
    > controllers listed with versions of both AD and sysvol policy. It will
    > report any problems such as mismatches. --- Steve
    >
    >
    > "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    > news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
    > > Yes, it all looks good:
    > >
    > > C:\>net accounts /domain
    > > The request will be processed at a domain controller for domain
    > > <domainName>.
    > >
    > > Force user logoff how long after time expires?: Never
    > > Minimum password age (days): 0
    > > Maximum password age (days): 90
    > > Minimum password length: 6
    > > Length of password history maintained: None
    > > Lockout threshold: 4
    > > Lockout duration (minutes): 15
    > > Lockout observation window (minutes): 5
    > > Computer role: BACKUP
    > > The command completed successfully.
    > >
    > >
    > > It's the strangest thing, but appreciate any help or suggestions anyone
    > > has.
    > >
    > > Thanks,
    > > Paul
    > >
    > >
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> Don't know offhand. When you run the " net accounts " command on the
    > >> domain
    > >> controller does it show 15 minutes for the lockout duration? --- Steve
    > >>
    > >>
    > >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    > >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    > >> > Our default domain account lockout policy is set like this:
    > >> >
    > >> > Lockout Threshold - 4 attempts
    > >> > Lockout Duration - 15 minutes
    > >> > Reset Counter After - 5 minutes
    > >> >
    > >> > User accounts are being locked out correctly when the threshold is met,
    > >> > but
    > >> > they are NOT being unlocked when the lockout duration period is
    > >> > reached.
    > >> > Once locked out, user accounts are staying locked out until they are
    > >> > manually
    > >> > unlocked.
    > >> >
    > >> > Nothing obvious in the event logs. Any ideas?
    > >> >
    > >> > Thanks,
    > >> > Paul
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. I can't think of much else. What I would try is to set the reset
    counter time to the same as the lockout duration time which is what the
    operating system would suggest when you change the setting. Anytime you
    change domain password/lockout policy be sure that block inheritance is not
    enabled on the domain controller container as that can prevent changes from
    applying. In addition consider raising the lockout threshold to no less than
    ten which is what Microsoft recommends. I see you already have minimum
    password length of six which may also mean that you have password complexity
    enabled. A setting of ten will still effectively deter brute force password
    attacks with your password policy and reduce your lockouts. Note that one
    failed logon attempt by a user can generate multiple number as far as the
    operating system is concerned in some situations. ---- Steve


    "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    news:B6F3BBAA-2F9A-450C-84BA-5E3C50766671@microsoft.com...
    >I had actually run it from my workstation. This is a Win2K domain running
    >in
    > native mode and I get the same result from the PDC FSMO, which looks good:
    >
    > C:\Temp>net accounts
    > Force user logoff how long after time expires?: Never
    > Minimum password age (days): 0
    > Maximum password age (days): 90
    > Minimum password length: 6
    > Length of password history maintained: None
    > Lockout threshold: 4
    > Lockout duration (minutes): 15
    > Lockout observation window (minutes): 5
    > Computer role: PRIMARY
    > The command completed successfully.
    >
    >
    > GPOTool looks good as well (output is lengthy so I'll spare you that). DS
    > version, Sysvol version and Functionality version all match and gpotool
    > reports "Policies OK".
    >
    > But still user accounts don't unlock unless we manually unlock
    > them...frustrating. And rare I guess since I haven't had much luck
    > finding
    > any info on it or others who have had the same or similar problem...
    >
    > Thanks for the help though,
    > Paul
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> Did you run this on a Windows 2000 domain controller or a NT4.0 domain
    >> controller? The reason I ask is that the computer role shows as "backup"
    >> which I am not sure if that indicates a NT4.0 BDC or a Windows 2000
    >> domain
    >> controller that is not the PDC fsmo. You might also want to run net
    >> accounts
    >> on the pdc fsmo and run the support tool gpotool to see if policy is
    >> replicating correctly. When you run gpotool, you should see all your
    >> domain
    >> controllers listed with versions of both AD and sysvol policy. It will
    >> report any problems such as mismatches. --- Steve
    >>
    >>
    >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    >> news:9DE40826-8CAB-4CF1-9884-1A92CF330BBF@microsoft.com...
    >> > Yes, it all looks good:
    >> >
    >> > C:\>net accounts /domain
    >> > The request will be processed at a domain controller for domain
    >> > <domainName>.
    >> >
    >> > Force user logoff how long after time expires?: Never
    >> > Minimum password age (days): 0
    >> > Maximum password age (days): 90
    >> > Minimum password length: 6
    >> > Length of password history maintained: None
    >> > Lockout threshold: 4
    >> > Lockout duration (minutes): 15
    >> > Lockout observation window (minutes): 5
    >> > Computer role: BACKUP
    >> > The command completed successfully.
    >> >
    >> >
    >> > It's the strangest thing, but appreciate any help or suggestions anyone
    >> > has.
    >> >
    >> > Thanks,
    >> > Paul
    >> >
    >> >
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> Don't know offhand. When you run the " net accounts " command on the
    >> >> domain
    >> >> controller does it show 15 minutes for the lockout duration? ---
    >> >> Steve
    >> >>
    >> >>
    >> >> "PSmith2112" <PSmith2112@discussions.microsoft.com> wrote in message
    >> >> news:6383B2FB-2A4F-4CDA-AEAC-77147BC263A5@microsoft.com...
    >> >> > Our default domain account lockout policy is set like this:
    >> >> >
    >> >> > Lockout Threshold - 4 attempts
    >> >> > Lockout Duration - 15 minutes
    >> >> > Reset Counter After - 5 minutes
    >> >> >
    >> >> > User accounts are being locked out correctly when the threshold is
    >> >> > met,
    >> >> > but
    >> >> > they are NOT being unlocked when the lockout duration period is
    >> >> > reached.
    >> >> > Once locked out, user accounts are staying locked out until they are
    >> >> > manually
    >> >> > unlocked.
    >> >> >
    >> >> > Nothing obvious in the event logs. Any ideas?
    >> >> >
    >> >> > Thanks,
    >> >> > Paul
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
Ask a new question

Read More

Microsoft User Accounts Windows