Hello I am having a problem with account lockout - GPO is set to lockout accounts after 3 failed attempts within 60 minutes. When I create a test account, and attempt to trigger the account lockout as a test, I cannot trigger it. In the audit log, I can see the failed login attempt error messages ("Bad username or password"). When I run the rsop.msc I can verify the account lockout settings. Is there some thing that could be preventing the account from locking out?

Hi, Is the GPO applied at the domain level? Each domain can have only one Account Policies setting. The Default Domain Policy is the policy that is enforced by the domain controllers in the domain by default. The Account Policies setting must either be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy. These domain-wide Account Policies settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain. Therefore, domain controllers always retrieve the values of these Account Policies settings from the Default Domain Policy GPO. Reference: Account Policies http://technet.microsoft.com/en-us/library/dd349793(v=ws.10).aspx Regards, Terry | My Blog: http://terrytlslau.tls1.cc

Hi Yes, the GPO is applied at the domain level in the Default Domain Policy GPO. When I run the RSOP on a domain workstation I can see that it has been inherited on this workstation from said GPO.

Hi, Does the test account log in before configuring Account Lockout Policy? If yes, it may store the password cache on the workstation. Is the workstation connected to the domain? If the network cable is disconnected, the Account Lockout Policy doesn't work. Regards, Terry | My Blog: http://terrytlslau.tls1.cc

Hi, Thank you for the post. Please use the LockoutStatus.exe tool to check the test account Bad Pwd Count value on PDC DC. http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx http://www.microsoft.com/en-us/download/details.aspx?id=15201 If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support

Hi, Thank you for the post. Please use the LockoutStatus.exe tool to check the test account Bad Pwd Count value on PDC DC. http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx http://www.microsoft.com/en-us/download/details.aspx?id=15201 If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support