Account lockout duration=30 minutes, however account remai..

Archived from groups: microsoft.public.win2000.security (More info?)

In Win2000SP4 root domain, Domain Security Policies I have
Account lockout duration=30 minutes
Account lockout threshold =15 invalid logon attempts
Reset account lockout counter after=30 minutes

However, when somebody gets locked out, it remains locked for several days
and account gets unlocked upon manual intervention.
I think that's the correct way anyway, otherwise somebody attempting to
discover a password would just keep trying if accounts got unlocked after 30
minutes.

However, what I don't understand is why even if the settings above are
enabled, accounts still remain locked after 30 minutes ? It seems settings
above don't work or is it my interpretation that is incorrect ?
5 answers Last reply
More about account lockout duration minutes account remai
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Where have you linked the policies? When setting these policies for the
    domain, they are ignored unless they are linked at the domain level, such as
    in the default domain policy.

    If you apply the settings to an OU, then the policy will affect the account
    policies for *local* accounts on any machines that may be located in the OU.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;259576

    Hope this helps

    Oli


    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
    > In Win2000SP4 root domain, Domain Security Policies I have
    > Account lockout duration=30 minutes
    > Account lockout threshold =15 invalid logon attempts
    > Reset account lockout counter after=30 minutes
    >
    > However, when somebody gets locked out, it remains locked for several days
    > and account gets unlocked upon manual intervention.
    > I think that's the correct way anyway, otherwise somebody attempting to
    > discover a password would just keep trying if accounts got unlocked after
    > 30
    > minutes.
    >
    > However, what I don't understand is why even if the settings above are
    > enabled, accounts still remain locked after 30 minutes ? It seems settings
    > above don't work or is it my interpretation that is incorrect ?
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Try running net accounts on the domain controllers to see what they report
    as the account lockout setting. The domain is the place to configure such a
    setting. If you have more than one GPO in the domain container, the GPO at
    the top of the list takes precedence and can therefore override Domain
    Security Policy. The other thing that can happen is that if password/account
    policy is changed while block inheritance is enabled on the domain
    controllers container, the new policy will not apply. I would also verify
    proper replication of Group Policies using the support tool gpotool which
    will tell the sysvol and AD version of all GPO's on the domain controllers
    it finds and report mismatches. --- Steve


    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
    > In Win2000SP4 root domain, Domain Security Policies I have
    > Account lockout duration=30 minutes
    > Account lockout threshold =15 invalid logon attempts
    > Reset account lockout counter after=30 minutes
    >
    > However, when somebody gets locked out, it remains locked for several days
    > and account gets unlocked upon manual intervention.
    > I think that's the correct way anyway, otherwise somebody attempting to
    > discover a password would just keep trying if accounts got unlocked after
    > 30
    > minutes.
    >
    > However, what I don't understand is why even if the settings above are
    > enabled, accounts still remain locked after 30 minutes ? It seems settings
    > above don't work or is it my interpretation that is incorrect ?
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Very interesting...
    I did net accounts in my DC and it confirms:

    Lockout duration (minutes):30
    Lockout observation window(minutes):30

    However, people still remains locked until I clear the setting manually.
    Well, I guess it is a good thing that they remain locked until manual
    intervention. I will see if I can troubleshoot this, but I will definitely
    change the Lockout Duration (minutes)=99999
    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:Xx9nd.356469$wV.77256@attbi_s54...
    > Try running net accounts on the domain controllers to see what they report
    > as the account lockout setting. The domain is the place to configure such
    a
    > setting. If you have more than one GPO in the domain container, the GPO at
    > the top of the list takes precedence and can therefore override Domain
    > Security Policy. The other thing that can happen is that if
    password/account
    > policy is changed while block inheritance is enabled on the domain
    > controllers container, the new policy will not apply. I would also verify
    > proper replication of Group Policies using the support tool gpotool which
    > will tell the sysvol and AD version of all GPO's on the domain controllers
    > it finds and report mismatches. --- Steve
    >
    >
    > "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    > news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
    > > In Win2000SP4 root domain, Domain Security Policies I have
    > > Account lockout duration=30 minutes
    > > Account lockout threshold =15 invalid logon attempts
    > > Reset account lockout counter after=30 minutes
    > >
    > > However, when somebody gets locked out, it remains locked for several
    days
    > > and account gets unlocked upon manual intervention.
    > > I think that's the correct way anyway, otherwise somebody attempting to
    > > discover a password would just keep trying if accounts got unlocked
    after
    > > 30
    > > minutes.
    > >
    > > However, what I don't understand is why even if the settings above are
    > > enabled, accounts still remain locked after 30 minutes ? It seems
    settings
    > > above don't work or is it my interpretation that is incorrect ?
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    You are not the first person to report this and I have never seen a
    resolution to those that experienced such. Out of curiosity it might be
    interesting to set both to twenty minutes to see if it makes a
    ifference. --- Steve


    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:O7Rn4TczEHA.1396@tk2msftngp13.phx.gbl...
    > Very interesting...
    > I did net accounts in my DC and it confirms:
    >
    > Lockout duration (minutes):30
    > Lockout observation window(minutes):30
    >
    > However, people still remains locked until I clear the setting manually.
    > Well, I guess it is a good thing that they remain locked until manual
    > intervention. I will see if I can troubleshoot this, but I will definitely
    > change the Lockout Duration (minutes)=99999
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:Xx9nd.356469$wV.77256@attbi_s54...
    >> Try running net accounts on the domain controllers to see what they
    >> report
    >> as the account lockout setting. The domain is the place to configure such
    > a
    >> setting. If you have more than one GPO in the domain container, the GPO
    >> at
    >> the top of the list takes precedence and can therefore override Domain
    >> Security Policy. The other thing that can happen is that if
    > password/account
    >> policy is changed while block inheritance is enabled on the domain
    >> controllers container, the new policy will not apply. I would also verify
    >> proper replication of Group Policies using the support tool gpotool which
    >> will tell the sysvol and AD version of all GPO's on the domain
    >> controllers
    >> it finds and report mismatches. --- Steve
    >>
    >>
    >> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    >> news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
    >> > In Win2000SP4 root domain, Domain Security Policies I have
    >> > Account lockout duration=30 minutes
    >> > Account lockout threshold =15 invalid logon attempts
    >> > Reset account lockout counter after=30 minutes
    >> >
    >> > However, when somebody gets locked out, it remains locked for several
    > days
    >> > and account gets unlocked upon manual intervention.
    >> > I think that's the correct way anyway, otherwise somebody attempting to
    >> > discover a password would just keep trying if accounts got unlocked
    > after
    >> > 30
    >> > minutes.
    >> >
    >> > However, what I don't understand is why even if the settings above are
    >> > enabled, accounts still remain locked after 30 minutes ? It seems
    > settings
    >> > above don't work or is it my interpretation that is incorrect ?
    >> >
    >> >
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Try the Account Lockout Toolset to troubleshoot these issues. You might
    find that there is something very different from what you currently think is
    going on.

    Look here:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

    --
    Rick Kingslan CISSP, MCSE, MCSA, MCT
    Microsoft MVP
    Windows Server / Directory Services
    Windows Security
    Associate Expert
    http://www.msmvps.com/willhack4food


    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:O7Rn4TczEHA.1396@tk2msftngp13.phx.gbl...
    > Very interesting...
    > I did net accounts in my DC and it confirms:
    >
    > Lockout duration (minutes):30
    > Lockout observation window(minutes):30
    >
    > However, people still remains locked until I clear the setting manually.
    > Well, I guess it is a good thing that they remain locked until manual
    > intervention. I will see if I can troubleshoot this, but I will definitely
    > change the Lockout Duration (minutes)=99999
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:Xx9nd.356469$wV.77256@attbi_s54...
    >> Try running net accounts on the domain controllers to see what they
    >> report
    >> as the account lockout setting. The domain is the place to configure such
    > a
    >> setting. If you have more than one GPO in the domain container, the GPO
    >> at
    >> the top of the list takes precedence and can therefore override Domain
    >> Security Policy. The other thing that can happen is that if
    > password/account
    >> policy is changed while block inheritance is enabled on the domain
    >> controllers container, the new policy will not apply. I would also verify
    >> proper replication of Group Policies using the support tool gpotool which
    >> will tell the sysvol and AD version of all GPO's on the domain
    >> controllers
    >> it finds and report mismatches. --- Steve
    >>
    >>
    >> "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    >> news:e%23yLcVYzEHA.2316@TK2MSFTNGP15.phx.gbl...
    >> > In Win2000SP4 root domain, Domain Security Policies I have
    >> > Account lockout duration=30 minutes
    >> > Account lockout threshold =15 invalid logon attempts
    >> > Reset account lockout counter after=30 minutes
    >> >
    >> > However, when somebody gets locked out, it remains locked for several
    > days
    >> > and account gets unlocked upon manual intervention.
    >> > I think that's the correct way anyway, otherwise somebody attempting to
    >> > discover a password would just keep trying if accounts got unlocked
    > after
    >> > 30
    >> > minutes.
    >> >
    >> > However, what I don't understand is why even if the settings above are
    >> > enabled, accounts still remain locked after 30 minutes ? It seems
    > settings
    >> > above don't work or is it my interpretation that is incorrect ?
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Security Domain Windows