I created a PSO policy that locks an account after 3 failed attempts. When I log in to OWA with an incorrect password 3 times, using the UPN, the account in AD is locked, but I can still log in with the UPN. I cannot log in with the user name only. If I log in with the user name and do 3 failed attempts, and then use the correct password, the account is locked out. But I can still log in with the users UPN. This seems like a security issue. Does anyone know how to fix it?

When you login with a UPN a global catalog must be located and used. When you don't use a UPN, any DC can authenticate you. I'm not sure what your issue is, but I'd investigate replication and configuration of GCs Mike Crowley Check out My Blog!

Only one DC and one GC (same box). The issue is that a user can still login to OWA when their account is locked out by using the UPN as the login. This should not be possible.

interesting. I assume you're not using ISA or TMG either, right? Mike Crowley Check out My Blog!

That is correct. I am running a simple 2 server network DC is Windows 2008 and Exchange 2007 is Windows 2008. Login 6 times with the username and incorrect password and the account is locked out and you cannot login with the username. But you can login with the UPN. This seems like a security hole that could be exploited by a brute force attack.

Something very odd is going on with Active Directory. If I log in with the username, the badPwdCount attribute is incremented by 2 for each failed login. If I login with the UPN, the badPwdCount attribute is incremented by 4. If the PSO is set to lock out after 4 failed attempts, the user is locked out after 1 attempt using the UPN, and 2 attempts if using the user name.

http://blogs.technet.com/b/isablog/archive/2007/11/28/account-lockout-not-working-using-upn-format-to-logon-with-forms-bases-authentication-in-isa-server-2006.aspx This suggests there is a hotfix, but that would have been included in 2008 already. I suggest you contact PSS for further investigation. Mike Crowley Check out My Blog!

Hi there This is happened to me and we have an audit that day and he gave us bad score because of this then i do some investigation the result was this. If you enable the screen saver lockout policy in the GP it will lock the account after 3 , 4 attempt's or as you configured it then if you entered correct user name and password it will log you on then if you logged out and wanted to log on again it will suspend you but if you disable the screen saver lockout it will suspend you from logging in from the first time even if correct user name and password used, its tested and i did this practically . Try it and i hope it work with you.