Sign in with
Sign up | Sign in
Your question

Account lockout duration=30 minutes, however account remai..

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 18, 2004 10:43:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In Win2000SP4 root domain, Domain Security Policies I have
Account lockout duration=30 minutes
Account lockout threshold =15 invalid logon attempts
Reset account lockout counter after=30 minutes

However, when somebody gets locked out, it remains locked for several days
and account gets unlocked upon manual intervention.
I think that's the correct way anyway, otherwise somebody attempting to
discover a password would just keep trying if accounts got unlocked after 30
minutes.

However, what I don't understand is why even if the settings above are
enabled, accounts still remain locked after 30 minutes ? It seems settings
above don't work or is it my interpretation that is incorrect ?
Anonymous
a b 8 Security
November 19, 2004 12:13:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Where have you linked the policies? When setting these policies for the
domain, they are ignored unless they are linked at the domain level, such as
in the default domain policy.

If you apply the settings to an OU, then the policy will affect the account
policies for *local* accounts on any machines that may be located in the OU.

http://support.microsoft.com/default.aspx?scid=kb;en-us;259576

Hope this helps

Oli


"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
> In Win2000SP4 root domain, Domain Security Policies I have
> Account lockout duration=30 minutes
> Account lockout threshold =15 invalid logon attempts
> Reset account lockout counter after=30 minutes
>
> However, when somebody gets locked out, it remains locked for several days
> and account gets unlocked upon manual intervention.
> I think that's the correct way anyway, otherwise somebody attempting to
> discover a password would just keep trying if accounts got unlocked after
> 30
> minutes.
>
> However, what I don't understand is why even if the settings above are
> enabled, accounts still remain locked after 30 minutes ? It seems settings
> above don't work or is it my interpretation that is incorrect ?
>
>
Anonymous
a b 8 Security
November 19, 2004 1:40:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Try running net accounts on the domain controllers to see what they report
as the account lockout setting. The domain is the place to configure such a
setting. If you have more than one GPO in the domain container, the GPO at
the top of the list takes precedence and can therefore override Domain
Security Policy. The other thing that can happen is that if password/account
policy is changed while block inheritance is enabled on the domain
controllers container, the new policy will not apply. I would also verify
proper replication of Group Policies using the support tool gpotool which
will tell the sysvol and AD version of all GPO's on the domain controllers
it finds and report mismatches. --- Steve


"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
> In Win2000SP4 root domain, Domain Security Policies I have
> Account lockout duration=30 minutes
> Account lockout threshold =15 invalid logon attempts
> Reset account lockout counter after=30 minutes
>
> However, when somebody gets locked out, it remains locked for several days
> and account gets unlocked upon manual intervention.
> I think that's the correct way anyway, otherwise somebody attempting to
> discover a password would just keep trying if accounts got unlocked after
> 30
> minutes.
>
> However, what I don't understand is why even if the settings above are
> enabled, accounts still remain locked after 30 minutes ? It seems settings
> above don't work or is it my interpretation that is incorrect ?
>
>
Related resources
Anonymous
a b 8 Security
November 19, 2004 1:40:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Very interesting...
I did net accounts in my DC and it confirms:

Lockout duration (minutes):30
Lockout observation window(minutes):30

However, people still remains locked until I clear the setting manually.
Well, I guess it is a good thing that they remain locked until manual
intervention. I will see if I can troubleshoot this, but I will definitely
change the Lockout Duration (minutes)=99999
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Xx9nd.356469$wV.77256@attbi_s54...
> Try running net accounts on the domain controllers to see what they report
> as the account lockout setting. The domain is the place to configure such
a
> setting. If you have more than one GPO in the domain container, the GPO at
> the top of the list takes precedence and can therefore override Domain
> Security Policy. The other thing that can happen is that if
password/account
> policy is changed while block inheritance is enabled on the domain
> controllers container, the new policy will not apply. I would also verify
> proper replication of Group Policies using the support tool gpotool which
> will tell the sysvol and AD version of all GPO's on the domain controllers
> it finds and report mismatches. --- Steve
>
>
> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
> news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
> > In Win2000SP4 root domain, Domain Security Policies I have
> > Account lockout duration=30 minutes
> > Account lockout threshold =15 invalid logon attempts
> > Reset account lockout counter after=30 minutes
> >
> > However, when somebody gets locked out, it remains locked for several
days
> > and account gets unlocked upon manual intervention.
> > I think that's the correct way anyway, otherwise somebody attempting to
> > discover a password would just keep trying if accounts got unlocked
after
> > 30
> > minutes.
> >
> > However, what I don't understand is why even if the settings above are
> > enabled, accounts still remain locked after 30 minutes ? It seems
settings
> > above don't work or is it my interpretation that is incorrect ?
> >
> >
>
>
Anonymous
a b 8 Security
November 19, 2004 4:35:40 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You are not the first person to report this and I have never seen a
resolution to those that experienced such. Out of curiosity it might be
interesting to set both to twenty minutes to see if it makes a
ifference. --- Steve


"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:o 7Rn4TczEHA.1396@tk2msftngp13.phx.gbl...
> Very interesting...
> I did net accounts in my DC and it confirms:
>
> Lockout duration (minutes):30
> Lockout observation window(minutes):30
>
> However, people still remains locked until I clear the setting manually.
> Well, I guess it is a good thing that they remain locked until manual
> intervention. I will see if I can troubleshoot this, but I will definitely
> change the Lockout Duration (minutes)=99999
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:Xx9nd.356469$wV.77256@attbi_s54...
>> Try running net accounts on the domain controllers to see what they
>> report
>> as the account lockout setting. The domain is the place to configure such
> a
>> setting. If you have more than one GPO in the domain container, the GPO
>> at
>> the top of the list takes precedence and can therefore override Domain
>> Security Policy. The other thing that can happen is that if
> password/account
>> policy is changed while block inheritance is enabled on the domain
>> controllers container, the new policy will not apply. I would also verify
>> proper replication of Group Policies using the support tool gpotool which
>> will tell the sysvol and AD version of all GPO's on the domain
>> controllers
>> it finds and report mismatches. --- Steve
>>
>>
>> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
>> news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
>> > In Win2000SP4 root domain, Domain Security Policies I have
>> > Account lockout duration=30 minutes
>> > Account lockout threshold =15 invalid logon attempts
>> > Reset account lockout counter after=30 minutes
>> >
>> > However, when somebody gets locked out, it remains locked for several
> days
>> > and account gets unlocked upon manual intervention.
>> > I think that's the correct way anyway, otherwise somebody attempting to
>> > discover a password would just keep trying if accounts got unlocked
> after
>> > 30
>> > minutes.
>> >
>> > However, what I don't understand is why even if the settings above are
>> > enabled, accounts still remain locked after 30 minutes ? It seems
> settings
>> > above don't work or is it my interpretation that is incorrect ?
>> >
>> >
>>
>>
>
>
Anonymous
a b 8 Security
November 20, 2004 1:04:17 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Try the Account Lockout Toolset to troubleshoot these issues. You might
find that there is something very different from what you currently think is
going on.

Look here:
http://www.microsoft.com/downloads/details.aspx?FamilyI...

--
Rick Kingslan CISSP, MCSE, MCSA, MCT
Microsoft MVP
Windows Server / Directory Services
Windows Security
Associate Expert
http://www.msmvps.com/willhack4food


"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:o 7Rn4TczEHA.1396@tk2msftngp13.phx.gbl...
> Very interesting...
> I did net accounts in my DC and it confirms:
>
> Lockout duration (minutes):30
> Lockout observation window(minutes):30
>
> However, people still remains locked until I clear the setting manually.
> Well, I guess it is a good thing that they remain locked until manual
> intervention. I will see if I can troubleshoot this, but I will definitely
> change the Lockout Duration (minutes)=99999
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:Xx9nd.356469$wV.77256@attbi_s54...
>> Try running net accounts on the domain controllers to see what they
>> report
>> as the account lockout setting. The domain is the place to configure such
> a
>> setting. If you have more than one GPO in the domain container, the GPO
>> at
>> the top of the list takes precedence and can therefore override Domain
>> Security Policy. The other thing that can happen is that if
> password/account
>> policy is changed while block inheritance is enabled on the domain
>> controllers container, the new policy will not apply. I would also verify
>> proper replication of Group Policies using the support tool gpotool which
>> will tell the sysvol and AD version of all GPO's on the domain
>> controllers
>> it finds and report mismatches. --- Steve
>>
>>
>> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
>> news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
>> > In Win2000SP4 root domain, Domain Security Policies I have
>> > Account lockout duration=30 minutes
>> > Account lockout threshold =15 invalid logon attempts
>> > Reset account lockout counter after=30 minutes
>> >
>> > However, when somebody gets locked out, it remains locked for several
> days
>> > and account gets unlocked upon manual intervention.
>> > I think that's the correct way anyway, otherwise somebody attempting to
>> > discover a password would just keep trying if accounts got unlocked
> after
>> > 30
>> > minutes.
>> >
>> > However, what I don't understand is why even if the settings above are
>> > enabled, accounts still remain locked after 30 minutes ? It seems
> settings
>> > above don't work or is it my interpretation that is incorrect ?
>> >
>> >
>>
>>
>
>
!