Account Lockout not working in Server 2008/W7 environment
Hello
I am having a problem with account lockout - GPO is set to lockout accounts after 3 failed attempts within 60 minutes. When I create a test account, and attempt to trigger the account lockout as a test, I cannot trigger it. In the audit log,
I can see the failed login attempt error messages ("Bad username or password"). When I run the rsop.msc I can verify the account lockout settings.
Is there some thing that could be preventing the account from locking out?
May 15th, 2012 11:32am
Hi,
Is the GPO applied at the domain level?
Each domain can have only one Account Policies setting. The Default Domain Policy is the policy that is enforced by the domain controllers in the domain by default. The Account Policies setting must either be defined in the Default Domain Policy or in a
new policy that is linked to the root of the domain and given precedence over the Default Domain Policy. These domain-wide Account Policies settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the
domain. Therefore, domain controllers always retrieve the values of these Account Policies settings from the Default Domain Policy GPO.
Reference:
Account Policies
http://technet.microsoft.com/en-us/library/dd349793(v=ws.10).aspx
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 12:03pm
Hi
Yes, the GPO is applied at the domain level in the Default Domain Policy GPO. When I run the RSOP on a domain workstation I can see that it has been inherited on this workstation from said GPO.
May 15th, 2012 1:26pm
Hi,
Does the test account log in before configuring Account Lockout Policy?
If yes, it may store the password cache on the workstation.
Is the workstation connected to the domain?
If the network cable is disconnected, the Account Lockout Policy doesn't work.
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 10:37pm
Hi,
Thank you for the post.
Please use the LockoutStatus.exe tool to check the test account Bad Pwd Count value on PDC DC.
http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
http://www.microsoft.com/en-us/download/details.aspx?id=15201
If there are more inquiries on this issue, please feel free to let us know.
RegardsRick Tan
TechNet Community Support
May 17th, 2012 2:12am
Hi,
Thank you for the post.
Please use the LockoutStatus.exe tool to check the test account Bad Pwd Count value on PDC DC.
http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
http://www.microsoft.com/en-us/download/details.aspx?id=15201
If there are more inquiries on this issue, please feel free to let us know.
RegardsRick Tan
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2012 2:18am