Hello All, Server 2008 SP2 with Exchange 2007 SP2. Our domain security policy is that after three bad passwords your account is locked. I noticed with webmail, that after one bad password your account is locked. Any ideas why it doesn't follow the domain policy? Thanks,

I can't say, but you really ought to bump that policy up a bit, say 10, to reduce the nuisance factor. It really won't compromise your security a lot.-- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "toolbox" wrote in message news:cef67b98-02e6-4568-b012-bd9310fb0fc1... Hello All, Server 2008 SP2 with Exchange 2007 SP2. Our domain security policy is that after three bad passwords your account is locked. I noticed with webmail, that after one bad password your account is locked. Any ideas why it doesn't follow the domain policy? Thanks, Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, I agree with ED. Definitely, it is by design. With IIS 7, it will try to convert the user name and password to UTF-8/ UNICODE/ ANSI Unicode etc to IISLogonUser method to check the credential. If when the user/password convert to UTF-8 version and failed to pass the authentication, then it will try the other version. So if the threshold is very short, then it cannot try more version to IISLogonUser method to check the authentication. We recommend to use account lockout threshold > 10 or to a value that will accommodate end users with a high incorrect password entry rate. Regards, Xiu

Thanks all for your help. Increased the account lockout threshold to 7 which now allows 4 attempts on webmail. Thanks.