Domain Account Locks out prematurely
Not sure if this is a Windows 7 or Sever 2008 post so here goes... Background: I'm running Windows 7 in a Server 2008 environment... Our Default Domain Policy has the Account Lockout Threshold set to 4 invalid logon attempts. The Account Lockout Threshold is not set in the Default Domain Controller Policy. Issue: When I login with an invalid password twice the user account is getting locked out. I have verified the Default Domain Policy and Default Domain Controller Policy are set and when I verify the with the RSOP it says the policy is configured for 4 invalid logon attempts. Also checked the Local Security policy but this should be over ruled by the domain policy... I've checked the security log with Account Logon events audited and can find nothing abnormal... My theory is that when I'm logging in to the domain it is authenticating twice but I'm not sure how I can verify this. Has anyone else experienced this issue or possibly know where I can verify which DCs are authenticating the logon? Thanks! Ryan
July 23rd, 2010 1:59am

Hi Ryan, Let us check on the client side first: Click start, type CMD and press ENTER to open the prompt command, type NET ACCOUNTS and press enter. From the following list you may notice Lockout threshold, check if the value is set correct. To check GPO result, type gpresult from the same prompt command. As this issue involve the GPO settings on DC side, I recommend create a new thread in the following forum: http://social.technet.microsoft.com/Forums/en-US/winserverManagement/threads Your understanding is appreciated. Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 12:42pm

The Domain controller hosting the PDC Emulator FSMO rule is the domain controller responsable for the authentication. This is a link that will explain to you how the PDC Emulator is responsible of the lockout of the account: http://www.windowsnetworking.com/articles_tutorials/Managing-Active-Directory-FSMO-Roles.html Go to your PDC Emulator and check the lockout settings. It may be an Active Directory replication problem. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.
July 26th, 2010 3:15pm

Hi Ryan, Has this issue been resolved? I tried it in my lab and it worked as expected, badPwdCount increased only by 1 on each attempt. What's the output of running "net accounts" and "gpresult /r" in the affected machine?
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 1:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics