Account Lockout...

Archived from groups: microsoft.public.win2000.security (More info?)

I have domain, local, domain controller policies all set to lockout an
account after 3 invalid logon attempts. None of our users are logging into
the domain, only through Outlook for Exchange. When they enter the wrong
password more than 3 times the account is not locked, does anyone know why
this is? Every workstation is using a local account and operates completely
independant of the domain.

Thank you,
Mike Stiers
2 answers Last reply
More about account lockout
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello Ketta,

    Please take a look at the following article:

    Unexpected Account Lockouts Caused When Logging On to Outlook from an
    Untrusted Domain -->
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;276541

    Microsoft's recommendation is to set the account lockout to 10:

    " Bad Password Threshold is set too low: This is one of the most common
    misconfiguration issues. Many companies set the Bad Password Threshold
    registry value to a value lower than the default value of 10. If you set
    this value too low, false lockouts occur when programs automatically retry
    invalid passwords. Microsoft recommends that you leave this value at its
    default value of 10. For more information, see "Choosing Account Lockout
    Settings for Your Deployment" in this document.

    This information was obtained from "Account Lockout Best Practices" --->
    http://www.microsoft.com/downloads/details.aspx?familyid=8c8e0d90-a13b-4977-
    a4fc-3e2b67e3748e&displaylang=en

    Thank You

    Diana.


    This posting is provided "AS IS" with no warranties, and confers no rights.


    diasmith@online.microsoft.com

    --------------------
    | From: "Ketta" <no@post.net>
    | Subject: Account Lockout...
    | Date: Mon, 8 Nov 2004 09:54:42 -0500
    | Lines: 11
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | Message-ID: <uomslMaxEHA.1076@TK2MSFTNGP10.phx.gbl>
    | Newsgroups: microsoft.public.win2000.security
    | NNTP-Posting-Host: d57-1-27.home.cgocable.net 24.57.1.27
    | Path:
    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
    ..phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.security:33832
    | X-Tomcat-NG: microsoft.public.win2000.security
    |
    | I have domain, local, domain controller policies all set to lockout an
    | account after 3 invalid logon attempts. None of our users are logging
    into
    | the domain, only through Outlook for Exchange. When they enter the wrong
    | password more than 3 times the account is not locked, does anyone know
    why
    | this is? Every workstation is using a local account and operates
    completely
    | independant of the domain.
    |
    | Thank you,
    | Mike Stiers
    |
    |
    |


    This posting is provided "AS IS" with no warranties, and confers no rights.


    diasmith@online.microsoft.com
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Ketta wrote:
    > I have domain, local, domain controller policies all set to lockout an
    > account after 3 invalid logon attempts. None of our users are
    > logging into the domain, only through Outlook for Exchange. When
    > they enter the wrong password more than 3 times the account is not
    > locked, does anyone know why this is? Every workstation is using a
    > local account and operates completely independant of the domain.
    >
    > Thank you,
    > Mike Stiers

    Well, if they're using local accounts, this makes perfect sense. Why are
    they using local accounts anyway? This is not a good practice - what's the
    client OS? If they're using XP Home, upgrade them to XP Pro. XP Home doesn't
    belong on a domain.

    For the domain accounts, don't set lockout. It's more trouble than it's
    worth - just make sure you force regular pw changes & enable complex
    passwords.
Ask a new question

Read More

Domain Domain Controller Windows