Announcement

Collapse
No announcement yet.

Account not locking out

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account not locking out

    We have created a policy called AccountPolicy and applied it to our TestOU which contains two user accounts and two workstations.
    We only have a single site, single domain organisation.

    The policy is applied to the TestOU only, not the entire domain. I've run group policy modelling which tells me the accountpolicy is winning, and I've also run RSOP and checked localsecuritypolicy on the relevant workstation where it shows the relevant security settings.

    Relevant configured options:
    Duration: 15 minutes
    Threshold: 5 invalid attempts
    Reset counter: 5 minutes.

    I've applied policy by force several times and confirmed it's applied the relevant settings, however i cannot get the account to lock out.
    I can see that BadPwdCount has been increased to 6 using CSVDE on the relevant accounts, but it's just not locking it.
    any ideas where we are going wron g?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: Account not locking out

    As far as I know you can only put account rules ones.
    http://technet.microsoft.com/en-us/l.../cc748850.aspx

    Comment


    • #3
      Re: Account not locking out

      thanks.. i'll give that a bit of a look tomorrow

      immediately though.. it looks like i know where my problem might be.. it needs to be a policy applied at the top of the forest, and there needs to be only one..

      so i'll just wmi filter it to my test group
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Account not locking out

        Originally posted by tehcamel View Post
        so i'll just wmi filter it to my test group
        No this will fail!
        There can only be just one password policies set per domain for the domain users.

        The GPO should be applied to the DCs in the domain! instead of the clients.
        It is recommende however to set the password policies as Domain policy, this way it will be applied to the clients and affecting also the computer local usersaccounts that were created on the clients.

        \Rems
        Last edited by Rems; 20th April 2009, 15:31.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Account not locking out

          so no way I can test this on just a small group of users then... (ie, only me)

          well, I guess 7:30 is as good a time as any..
          i'll let you know soon how i went (or, if i've really screwed it.. it'll be a while :P)


          *edit*
          And that's much better. I had different settings in a number of different policy objects. They've all been disabled now, and my new one is taking priority.
          Of course, it's broken at least one account that I know of.. and I expect more screams once it goes live.. but Boss has agreed we can do it....
          Last edited by tehcamel; 20th April 2009, 22:54.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: Account not locking out

            Unless you are in a pure Server 2008 domain, lockout policies will only apply at the domain level (just like password policies) so anything applied to an OU will not work
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Account not locking out

              i broke a bunch of accounts it seems.. they all had non-strong passwords.. so it was forcing them all to change

              and everyone was out of the office.. so outlook was sayin password is incorrect etc..

              got it ready to go now though, and it'll be going live very very soon..
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment

              Working...
              X