Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Account Lockout Threshold change - Not taking effect
Account Lockout Threshold change - Not taking effect [message #161034] Mon, 14 September 2009 02:22 Go to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
We have mix of Windows 2003 and 2000 DCs. The Account lockout threshold was
initially set for 3. We later changed it to 5. Now the account is getting
locked in 3 attempts and not in 5. It has replicated to all the DC. In the DC
it is showing as 5, but it is still locking at 3. When I ran the RSOP on the
computer it shows as 5, when I ran the "Net Account" it shows as 5. But, it
always locks at 3 attempt. Change done 3 days back. Any thoughts on this?
Should I reboot the DCs?
Re: Account Lockout Threshold change - Not taking effect [message #161035 is a reply to message #161034] Mon, 14 September 2009 02:35 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello sekhar,

Where did you configure the policy, on domain level in Default domain policy
or equivalent?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have mix of Windows 2003 and 2000 DCs. The Account lockout
> threshold was initially set for 3. We later changed it to 5. Now the
> account is getting locked in 3 attempts and not in 5. It has
> replicated to all the DC. In the DC it is showing as 5, but it is
> still locking at 3. When I ran the RSOP on the computer it shows as 5,
> when I ran the "Net Account" it shows as 5. But, it always locks at 3
> attempt. Change done 3 days back. Any thoughts on this? Should I
> reboot the DCs?
>
Re: Account Lockout Threshold change - Not taking effect [message #161036 is a reply to message #161035] Mon, 14 September 2009 02:55 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Default domain Policy level. We have another policy set in different OU for 3
attmepts. That is not applied for all users.

"Meinolf Weber [MVP-DS]" wrote:

> Hello sekhar,
>
> Where did you configure the policy, on domain level in Default domain policy
> or equivalent?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We have mix of Windows 2003 and 2000 DCs. The Account lockout
> > threshold was initially set for 3. We later changed it to 5. Now the
> > account is getting locked in 3 attempts and not in 5. It has
> > replicated to all the DC. In the DC it is showing as 5, but it is
> > still locking at 3. When I ran the RSOP on the computer it shows as 5,
> > when I ran the "Net Account" it shows as 5. But, it always locks at 3
> > attempt. Change done 3 days back. Any thoughts on this? Should I
> > reboot the DCs?
> >
>
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161037 is a reply to message #161036] Mon, 14 September 2009 03:06 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello sekhar,

Account lockout and password policy must be configured on domain level with
OS version earlier then 2008. On OU they will not work for domain machines.

Please run gpresult /v or rsop.msc on the client to see which settings are
displayed.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Default domain Policy level. We have another policy set in different
> OU for 3 attmepts. That is not applied for all users.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello sekhar,
>>
>> Where did you configure the policy, on domain level in Default domain
>> policy or equivalent?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> We have mix of Windows 2003 and 2000 DCs. The Account lockout
>>> threshold was initially set for 3. We later changed it to 5. Now the
>>> account is getting locked in 3 attempts and not in 5. It has
>>> replicated to all the DC. In the DC it is showing as 5, but it is
>>> still locking at 3. When I ran the RSOP on the computer it shows as
>>> 5, when I ran the "Net Account" it shows as 5. But, it always locks
>>> at 3 attempt. Change done 3 days back. Any thoughts on this? Should
>>> I reboot the DCs?
>>>
Re: Account Lockout Threshold change - Not taking effect [message #161043 is a reply to message #161037] Mon, 14 September 2009 04:11 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Hi Meinolf,

I ran the gpresult /v. The detault domain policy is getting applied.

Policy: LockoutBadCount
Computer Setting: 5

However, it still lock at 3 attempt.

"Meinolf Weber [MVP-DS]" wrote:

> Hello sekhar,
>
> Account lockout and password policy must be configured on domain level with
> OS version earlier then 2008. On OU they will not work for domain machines.
>
> Please run gpresult /v or rsop.msc on the client to see which settings are
> displayed.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Default domain Policy level. We have another policy set in different
> > OU for 3 attmepts. That is not applied for all users.
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello sekhar,
> >>
> >> Where did you configure the policy, on domain level in Default domain
> >> policy or equivalent?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> We have mix of Windows 2003 and 2000 DCs. The Account lockout
> >>> threshold was initially set for 3. We later changed it to 5. Now the
> >>> account is getting locked in 3 attempts and not in 5. It has
> >>> replicated to all the DC. In the DC it is showing as 5, but it is
> >>> still locking at 3. When I ran the RSOP on the computer it shows as
> >>> 5, when I ran the "Net Account" it shows as 5. But, it always locks
> >>> at 3 attempt. Change done 3 days back. Any thoughts on this? Should
> >>> I reboot the DCs?
> >>>
>
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161046 is a reply to message #161043] Mon, 14 September 2009 05:29 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

sekhar wrote:
> I ran the gpresult /v. The detault domain policy is getting applied.
>
> Policy: LockoutBadCount
> Computer Setting: 5
>
> However, it still lock at 3 attempt.

Is there another Group Policy linked to the domain level that configures
that setting? If there's another policy that is listed higher than the
default domain policy, it dictates that setting.

Cheers,
Florian
Re: Account Lockout Threshold change - Not taking effect [message #161050 is a reply to message #161046] Mon, 14 September 2009 06:49 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Hi Florian,

Yes, we do have another policy for 3 attempts. However, in "Net Accounts" or
the "RSOP" it shows 5, and not 5.

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> sekhar wrote:
> > I ran the gpresult /v. The detault domain policy is getting applied.
> >
> > Policy: LockoutBadCount
> > Computer Setting: 5
> >
> > However, it still lock at 3 attempt.
>
> Is there another Group Policy linked to the domain level that configures
> that setting? If there's another policy that is listed higher than the
> default domain policy, it dictates that setting.
>
> Cheers,
> Florian
>
Re: Account Lockout Threshold change - Not taking effect [message #161052 is a reply to message #161050] Mon, 14 September 2009 07:41 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

sekhar schrieb:
> Yes, we do have another policy for 3 attempts. However, in "Net Accounts" or
> the "RSOP" it shows 5, and not 5.

Both programs display the local password policy that applies to _local_
user accounts when logging on. You want however that the policy for
domain accounts that log on to the domain.

I'd check this in a practical test and have a test user use a wrong
password for three times and see what happens.

Technically, if there are multiple policies at the domain level and more
than one of them configure password policy settings, the policy that is
listed at the top of the list of policies shown in GPMC "wins".

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Account Lockout Threshold change - Not taking effect [message #161053 is a reply to message #161052] Mon, 14 September 2009 08:02 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Hi,

Yes, we tested. The account gets locked at 3 attempts, and not 5. The
correct default domin policy is getting applied, and it shows 5 attempts. But
still no luck....

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> sekhar schrieb:
> > Yes, we do have another policy for 3 attempts. However, in "Net Accounts" or
> > the "RSOP" it shows 5, and not 5.
>
> Both programs display the local password policy that applies to _local_
> user accounts when logging on. You want however that the policy for
> domain accounts that log on to the domain.
>
> I'd check this in a practical test and have a test user use a wrong
> password for three times and see what happens.
>
> Technically, if there are multiple policies at the domain level and more
> than one of them configure password policy settings, the policy that is
> listed at the top of the list of policies shown in GPMC "wins".
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>
Re: Account Lockout Threshold change - Not taking effect [message #161054 is a reply to message #161053] Mon, 14 September 2009 08:34 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
> Hi,
>
> Yes, we tested. The account gets locked at 3 attempts, and not 5. The
> correct default domin policy is getting applied, and it shows 5 attempts.
> But
> still no luck....


Have you tried unlinking the additional GPO you've created at the Domain
level, and making sure the Default Domain Policy is set to 5 attempts, and
try again? If that works, that tells you it is pulling it from the default
domain. If you want to create an additional GPO with password control, you
will have to remove the settings in the Default Domain Policy and not change
the order of the GPOs at the domain level, since we would want thecdefault
GPO to run first.

If that doesn't work, then there is something else going on, such as
possible AD-client communications issues. I am assuming that none of the
machines (DC and clients) are using an external DNS server (such as the
ISP), and the DC is not multihomed (more than one NIC and/or IP address).

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Account Lockout Threshold change - Not taking effect [message #161057 is a reply to message #161054] Mon, 14 September 2009 08:49 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Hi Ace,

The other policy is linked at the domain level. It is at the lower OU level.
I even changed the settings to 5 attempt. But still it locks at 3 attempts.
Not sure from where it pulls the count of 3.

"Ace Fekay [MCT]" wrote:

> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
> > Hi,
> >
> > Yes, we tested. The account gets locked at 3 attempts, and not 5. The
> > correct default domin policy is getting applied, and it shows 5 attempts.
> > But
> > still no luck....
>
>
> Have you tried unlinking the additional GPO you've created at the Domain
> level, and making sure the Default Domain Policy is set to 5 attempts, and
> try again? If that works, that tells you it is pulling it from the default
> domain. If you want to create an additional GPO with password control, you
> will have to remove the settings in the Default Domain Policy and not change
> the order of the GPOs at the domain level, since we would want thecdefault
> GPO to run first.
>
> If that doesn't work, then there is something else going on, such as
> possible AD-client communications issues. I am assuming that none of the
> machines (DC and clients) are using an external DNS server (such as the
> ISP), and the DC is not multihomed (more than one NIC and/or IP address).
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161058 is a reply to message #161057] Mon, 14 September 2009 09:13 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

sekhar wrote:
> The other policy is linked at the domain level. It is at the lower OU level.
> I even changed the settings to 5 attempt. But still it locks at 3 attempts.
> Not sure from where it pulls the count of 3.

What kind of account are you testing? Is that a domain account or a
local user account?

Florian
Re: Account Lockout Threshold change - Not taking effect [message #161060 is a reply to message #161058] Mon, 14 September 2009 09:31 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Local account locks at 5 attempt.
Domain account locks at 3 attempt.

Domain Policy is set for 5 attempts..

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> sekhar wrote:
> > The other policy is linked at the domain level. It is at the lower OU level.
> > I even changed the settings to 5 attempt. But still it locks at 3 attempts.
> > Not sure from where it pulls the count of 3.
>
> What kind of account are you testing? Is that a domain account or a
> local user account?
>
> Florian
>
Re: Account Lockout Threshold change - Not taking effect [message #161064 is a reply to message #161057] Mon, 14 September 2009 10:29 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...

Hi Sekhar,

Maybe I may not be understanding what you are saying. Are you saying the GPO
with the 5 attempts setting is not linked at the domain level, but rather it
is liniked on an OU somewhere, such as where the Users OU is?

If it is on an OU, the password setting does not work. It only works if
linked at the domain level, no where else. If it is 2008, there is a
provision to make it work, but not with 2003 or older.

Ace





> Hi Ace,
>
> The other policy is linked at the domain level. It is at the lower OU
> level.
> I even changed the settings to 5 attempt. But still it locks at 3
> attempts.
> Not sure from where it pulls the count of 3.
>
> "Ace Fekay [MCT]" wrote:
>
>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
>> > Hi,
>> >
>> > Yes, we tested. The account gets locked at 3 attempts, and not 5. The
>> > correct default domin policy is getting applied, and it shows 5
>> > attempts.
>> > But
>> > still no luck....
>>
>>
>> Have you tried unlinking the additional GPO you've created at the Domain
>> level, and making sure the Default Domain Policy is set to 5 attempts,
>> and
>> try again? If that works, that tells you it is pulling it from the
>> default
>> domain. If you want to create an additional GPO with password control,
>> you
>> will have to remove the settings in the Default Domain Policy and not
>> change
>> the order of the GPOs at the domain level, since we would want
>> thecdefault
>> GPO to run first.
>>
>> If that doesn't work, then there is something else going on, such as
>> possible AD-client communications issues. I am assuming that none of the
>> machines (DC and clients) are using an external DNS server (such as the
>> ISP), and the DC is not multihomed (more than one NIC and/or IP address).
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among
>> responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>>
Re: Account Lockout Threshold change - Not taking effect [message #161066 is a reply to message #161064] Mon, 14 September 2009 10:39 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Hi Ace,

The GPO (Default Domain Policy) that has the account lockout setting of 5 is
linked to the domain. The old setting was 3, and the new setting now is 5.

The other policy that was set at the OU level had the account lockout
setting of 3, now it has been changed to 5. This is not linked at the domain
level.

The accout (Domain Account) is still getting locked at 3 attempts.

"Ace Fekay [MCT]" wrote:

> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
>
> Hi Sekhar,
>
> Maybe I may not be understanding what you are saying. Are you saying the GPO
> with the 5 attempts setting is not linked at the domain level, but rather it
> is liniked on an OU somewhere, such as where the Users OU is?
>
> If it is on an OU, the password setting does not work. It only works if
> linked at the domain level, no where else. If it is 2008, there is a
> provision to make it work, but not with 2003 or older.
>
> Ace
>
>
>
>
>
> > Hi Ace,
> >
> > The other policy is linked at the domain level. It is at the lower OU
> > level.
> > I even changed the settings to 5 attempt. But still it locks at 3
> > attempts.
> > Not sure from where it pulls the count of 3.
> >
> > "Ace Fekay [MCT]" wrote:
> >
> >> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> >> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
> >> > Hi,
> >> >
> >> > Yes, we tested. The account gets locked at 3 attempts, and not 5. The
> >> > correct default domin policy is getting applied, and it shows 5
> >> > attempts.
> >> > But
> >> > still no luck....
> >>
> >>
> >> Have you tried unlinking the additional GPO you've created at the Domain
> >> level, and making sure the Default Domain Policy is set to 5 attempts,
> >> and
> >> try again? If that works, that tells you it is pulling it from the
> >> default
> >> domain. If you want to create an additional GPO with password control,
> >> you
> >> will have to remove the settings in the Default Domain Policy and not
> >> change
> >> the order of the GPOs at the domain level, since we would want
> >> thecdefault
> >> GPO to run first.
> >>
> >> If that doesn't work, then there is something else going on, such as
> >> possible AD-client communications issues. I am assuming that none of the
> >> machines (DC and clients) are using an external DNS server (such as the
> >> ISP), and the DC is not multihomed (more than one NIC and/or IP address).
> >>
> >> --
> >> Ace
> >>
> >> This posting is provided "AS-IS" with no warranties or guarantees and
> >> confers no rights.
> >>
> >> Please reply back to the newsgroup or forum for collaboration benefit
> >> among
> >> responding engineers, and to help others benefit from your resolution.
> >>
> >> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> >> Microsoft Certified Trainer
> >>
> >> For urgent issues, please contact Microsoft PSS directly. Please check
> >> http://support.microsoft.com for regional support phone numbers.
> >>
> >>
>
>
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161067 is a reply to message #161066] Mon, 14 September 2009 10:43 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello sekhar,

Check your network according to:
http://support.microsoft.com/kb/962007

Conficker will also effect the accotun lockout policy.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Ace,
>
> The GPO (Default Domain Policy) that has the account lockout setting
> of 5 is linked to the domain. The old setting was 3, and the new
> setting now is 5.
>
> The other policy that was set at the OU level had the account lockout
> setting of 3, now it has been changed to 5. This is not linked at the
> domain level.
>
> The accout (Domain Account) is still getting locked at 3 attempts.
>
> "Ace Fekay [MCT]" wrote:
>
>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
>>
>> Hi Sekhar,
>>
>> Maybe I may not be understanding what you are saying. Are you saying
>> the GPO with the 5 attempts setting is not linked at the domain
>> level, but rather it is liniked on an OU somewhere, such as where the
>> Users OU is?
>>
>> If it is on an OU, the password setting does not work. It only works
>> if linked at the domain level, no where else. If it is 2008, there is
>> a provision to make it work, but not with 2003 or older.
>>
>> Ace
>>
>>> Hi Ace,
>>>
>>> The other policy is linked at the domain level. It is at the lower
>>> OU
>>> level.
>>> I even changed the settings to 5 attempt. But still it locks at 3
>>> attempts.
>>> Not sure from where it pulls the count of 3.
>>> "Ace Fekay [MCT]" wrote:
>>>
>>>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>>>> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
>>>>
>>>>> Hi,
>>>>>
>>>>> Yes, we tested. The account gets locked at 3 attempts, and not 5.
>>>>> The
>>>>> correct default domin policy is getting applied, and it shows 5
>>>>> attempts.
>>>>> But
>>>>> still no luck....
>>>> Have you tried unlinking the additional GPO you've created at the
>>>> Domain
>>>> level, and making sure the Default Domain Policy is set to 5
>>>> attempts,
>>>> and
>>>> try again? If that works, that tells you it is pulling it from the
>>>> default
>>>> domain. If you want to create an additional GPO with password
>>>> control,
>>>> you
>>>> will have to remove the settings in the Default Domain Policy and
>>>> not
>>>> change
>>>> the order of the GPOs at the domain level, since we would want
>>>> thecdefault
>>>> GPO to run first.
>>>> If that doesn't work, then there is something else going on, such
>>>> as possible AD-client communications issues. I am assuming that
>>>> none of the machines (DC and clients) are using an external DNS
>>>> server (such as the ISP), and the DC is not multihomed (more than
>>>> one NIC and/or IP address).
>>>>
>>>> -- Ace
>>>>
>>>> This posting is provided "AS-IS" with no warranties or guarantees
>>>> and confers no rights.
>>>>
>>>> Please reply back to the newsgroup or forum for collaboration
>>>> benefit
>>>> among
>>>> responding engineers, and to help others benefit from your
>>>> resolution.
>>>> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>>> Messaging Microsoft Certified Trainer
>>>>
>>>> For urgent issues, please contact Microsoft PSS directly. Please
>>>> check http://support.microsoft.com for regional support phone
>>>> numbers.
>>>>
Re: Account Lockout Threshold change - Not taking effect [message #161071 is a reply to message #161066] Mon, 14 September 2009 14:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:FD4E7811-B67D-494C-8BB3-A2AB21AE7DC4@microsoft.com...

Hi Sekhar,

So you are saying there is a GPO at the OU level with password settings.
Just to reiterate, as Florian said, and as I mentioned in my previous post,
password settings anywhere other than at the domain level on 2000 and 2003
do not work. So you might as well as remove those settings at the OU level.
Password policies on these operating systems only work at the domain level.

Ace


> Hi Ace,
>
> The GPO (Default Domain Policy) that has the account lockout setting of 5
> is
> linked to the domain. The old setting was 3, and the new setting now is 5.
>
> The other policy that was set at the OU level had the account lockout
> setting of 3, now it has been changed to 5. This is not linked at the
> domain
> level.
>
> The accout (Domain Account) is still getting locked at 3 attempts.
>
> "Ace Fekay [MCT]" wrote:
>
>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
>>
>> Hi Sekhar,
>>
>> Maybe I may not be understanding what you are saying. Are you saying the
>> GPO
>> with the 5 attempts setting is not linked at the domain level, but rather
>> it
>> is liniked on an OU somewhere, such as where the Users OU is?
>>
>> If it is on an OU, the password setting does not work. It only works if
>> linked at the domain level, no where else. If it is 2008, there is a
>> provision to make it work, but not with 2003 or older.
>>
>> Ace
>>
>>
>>
>>
>>
>> > Hi Ace,
>> >
>> > The other policy is linked at the domain level. It is at the lower OU
>> > level.
>> > I even changed the settings to 5 attempt. But still it locks at 3
>> > attempts.
>> > Not sure from where it pulls the count of 3.
>> >
>> > "Ace Fekay [MCT]" wrote:
>> >
>> >> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> >> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
>> >> > Hi,
>> >> >
>> >> > Yes, we tested. The account gets locked at 3 attempts, and not 5.
>> >> > The
>> >> > correct default domin policy is getting applied, and it shows 5
>> >> > attempts.
>> >> > But
>> >> > still no luck....
>> >>
>> >>
>> >> Have you tried unlinking the additional GPO you've created at the
>> >> Domain
>> >> level, and making sure the Default Domain Policy is set to 5 attempts,
>> >> and
>> >> try again? If that works, that tells you it is pulling it from the
>> >> default
>> >> domain. If you want to create an additional GPO with password control,
>> >> you
>> >> will have to remove the settings in the Default Domain Policy and not
>> >> change
>> >> the order of the GPOs at the domain level, since we would want
>> >> thecdefault
>> >> GPO to run first.
>> >>
>> >> If that doesn't work, then there is something else going on, such as
>> >> possible AD-client communications issues. I am assuming that none of
>> >> the
>> >> machines (DC and clients) are using an external DNS server (such as
>> >> the
>> >> ISP), and the DC is not multihomed (more than one NIC and/or IP
>> >> address).
>> >>
>> >> --
>> >> Ace
>> >>
>> >> This posting is provided "AS-IS" with no warranties or guarantees and
>> >> confers no rights.
>> >>
>> >> Please reply back to the newsgroup or forum for collaboration benefit
>> >> among
>> >> responding engineers, and to help others benefit from your resolution.
>> >>
>> >> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
>> >> Microsoft Certified Trainer
>> >>
>> >> For urgent issues, please contact Microsoft PSS directly. Please check
>> >> http://support.microsoft.com for regional support phone numbers.
>> >>
>> >>
>>
>>
>>
>>
Re: Account Lockout Threshold change - Not taking effect [message #161080 is a reply to message #161071] Tue, 15 September 2009 05:47 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
We found the fix. The setting was hardcoded at the domain level. Changed it
through ADSIedit. Thank you all anyway.

"Ace Fekay [MCT]" wrote:

> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> news:FD4E7811-B67D-494C-8BB3-A2AB21AE7DC4@microsoft.com...
>
> Hi Sekhar,
>
> So you are saying there is a GPO at the OU level with password settings.
> Just to reiterate, as Florian said, and as I mentioned in my previous post,
> password settings anywhere other than at the domain level on 2000 and 2003
> do not work. So you might as well as remove those settings at the OU level.
> Password policies on these operating systems only work at the domain level.
>
> Ace
>
>
> > Hi Ace,
> >
> > The GPO (Default Domain Policy) that has the account lockout setting of 5
> > is
> > linked to the domain. The old setting was 3, and the new setting now is 5.
> >
> > The other policy that was set at the OU level had the account lockout
> > setting of 3, now it has been changed to 5. This is not linked at the
> > domain
> > level.
> >
> > The accout (Domain Account) is still getting locked at 3 attempts.
> >
> > "Ace Fekay [MCT]" wrote:
> >
> >> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> >> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
> >>
> >> Hi Sekhar,
> >>
> >> Maybe I may not be understanding what you are saying. Are you saying the
> >> GPO
> >> with the 5 attempts setting is not linked at the domain level, but rather
> >> it
> >> is liniked on an OU somewhere, such as where the Users OU is?
> >>
> >> If it is on an OU, the password setting does not work. It only works if
> >> linked at the domain level, no where else. If it is 2008, there is a
> >> provision to make it work, but not with 2003 or older.
> >>
> >> Ace
> >>
> >>
> >>
> >>
> >>
> >> > Hi Ace,
> >> >
> >> > The other policy is linked at the domain level. It is at the lower OU
> >> > level.
> >> > I even changed the settings to 5 attempt. But still it locks at 3
> >> > attempts.
> >> > Not sure from where it pulls the count of 3.
> >> >
> >> > "Ace Fekay [MCT]" wrote:
> >> >
> >> >> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> >> >> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
> >> >> > Hi,
> >> >> >
> >> >> > Yes, we tested. The account gets locked at 3 attempts, and not 5.
> >> >> > The
> >> >> > correct default domin policy is getting applied, and it shows 5
> >> >> > attempts.
> >> >> > But
> >> >> > still no luck....
> >> >>
> >> >>
> >> >> Have you tried unlinking the additional GPO you've created at the
> >> >> Domain
> >> >> level, and making sure the Default Domain Policy is set to 5 attempts,
> >> >> and
> >> >> try again? If that works, that tells you it is pulling it from the
> >> >> default
> >> >> domain. If you want to create an additional GPO with password control,
> >> >> you
> >> >> will have to remove the settings in the Default Domain Policy and not
> >> >> change
> >> >> the order of the GPOs at the domain level, since we would want
> >> >> thecdefault
> >> >> GPO to run first.
> >> >>
> >> >> If that doesn't work, then there is something else going on, such as
> >> >> possible AD-client communications issues. I am assuming that none of
> >> >> the
> >> >> machines (DC and clients) are using an external DNS server (such as
> >> >> the
> >> >> ISP), and the DC is not multihomed (more than one NIC and/or IP
> >> >> address).
> >> >>
> >> >> --
> >> >> Ace
> >> >>
> >> >> This posting is provided "AS-IS" with no warranties or guarantees and
> >> >> confers no rights.
> >> >>
> >> >> Please reply back to the newsgroup or forum for collaboration benefit
> >> >> among
> >> >> responding engineers, and to help others benefit from your resolution.
> >> >>
> >> >> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> >> >> Microsoft Certified Trainer
> >> >>
> >> >> For urgent issues, please contact Microsoft PSS directly. Please check
> >> >> http://support.microsoft.com for regional support phone numbers.
> >> >>
> >> >>
> >>
> >>
> >>
> >>
>
>
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161081 is a reply to message #161080] Tue, 15 September 2009 05:57 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello sekhar,

Nice to hear, can you explain it more detailed, how it was "hardcoded"?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We found the fix. The setting was hardcoded at the domain level.
> Changed it through ADSIedit. Thank you all anyway.
>
> "Ace Fekay [MCT]" wrote:
>
>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> news:FD4E7811-B67D-494C-8BB3-A2AB21AE7DC4@microsoft.com...
>>
>> Hi Sekhar,
>>
>> So you are saying there is a GPO at the OU level with password
>> settings. Just to reiterate, as Florian said, and as I mentioned in
>> my previous post, password settings anywhere other than at the domain
>> level on 2000 and 2003 do not work. So you might as well as remove
>> those settings at the OU level. Password policies on these operating
>> systems only work at the domain level.
>>
>> Ace
>>
>>> Hi Ace,
>>>
>>> The GPO (Default Domain Policy) that has the account lockout setting
>>> of 5
>>> is
>>> linked to the domain. The old setting was 3, and the new setting now
>>> is 5.
>>> The other policy that was set at the OU level had the account
>>> lockout
>>> setting of 3, now it has been changed to 5. This is not linked at
>>> the
>>> domain
>>> level.
>>> The accout (Domain Account) is still getting locked at 3 attempts.
>>>
>>> "Ace Fekay [MCT]" wrote:
>>>
>>>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>>>> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
>>>>
>>>> Hi Sekhar,
>>>>
>>>> Maybe I may not be understanding what you are saying. Are you
>>>> saying the
>>>> GPO
>>>> with the 5 attempts setting is not linked at the domain level, but
>>>> rather
>>>> it
>>>> is liniked on an OU somewhere, such as where the Users OU is?
>>>> If it is on an OU, the password setting does not work. It only
>>>> works if linked at the domain level, no where else. If it is 2008,
>>>> there is a provision to make it work, but not with 2003 or older.
>>>>
>>>> Ace
>>>>
>>>>> Hi Ace,
>>>>>
>>>>> The other policy is linked at the domain level. It is at the lower
>>>>> OU
>>>>> level.
>>>>> I even changed the settings to 5 attempt. But still it locks at 3
>>>>> attempts.
>>>>> Not sure from where it pulls the count of 3.
>>>>> "Ace Fekay [MCT]" wrote:
>>>>>
>>>>>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>>>>>> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Yes, we tested. The account gets locked at 3 attempts, and not
>>>>>>> 5.
>>>>>>> The
>>>>>>> correct default domin policy is getting applied, and it shows 5
>>>>>>> attempts.
>>>>>>> But
>>>>>>> still no luck....
>>>>>> Have you tried unlinking the additional GPO you've created at the
>>>>>> Domain
>>>>>> level, and making sure the Default Domain Policy is set to 5
>>>>>> attempts,
>>>>>> and
>>>>>> try again? If that works, that tells you it is pulling it from
>>>>>> the
>>>>>> default
>>>>>> domain. If you want to create an additional GPO with password
>>>>>> control,
>>>>>> you
>>>>>> will have to remove the settings in the Default Domain Policy and
>>>>>> not
>>>>>> change
>>>>>> the order of the GPOs at the domain level, since we would want
>>>>>> thecdefault
>>>>>> GPO to run first.
>>>>>> If that doesn't work, then there is something else going on, such
>>>>>> as
>>>>>> possible AD-client communications issues. I am assuming that none
>>>>>> of
>>>>>> the
>>>>>> machines (DC and clients) are using an external DNS server (such
>>>>>> as
>>>>>> the
>>>>>> ISP), and the DC is not multihomed (more than one NIC and/or IP
>>>>>> address).
>>>>>> -- Ace
>>>>>>
>>>>>> This posting is provided "AS-IS" with no warranties or guarantees
>>>>>> and confers no rights.
>>>>>>
>>>>>> Please reply back to the newsgroup or forum for collaboration
>>>>>> benefit
>>>>>> among
>>>>>> responding engineers, and to help others benefit from your
>>>>>> resolution.
>>>>>> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>>>>> Messaging Microsoft Certified Trainer
>>>>>>
>>>>>> For urgent issues, please contact Microsoft PSS directly. Please
>>>>>> check http://support.microsoft.com for regional support phone
>>>>>> numbers.
>>>>>>
Re: Account Lockout Threshold change - Not taking effect [message #161083 is a reply to message #161080] Tue, 15 September 2009 06:01 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello sekhar,

Do you mean the lockoutThreshold attribute on the domain context?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We found the fix. The setting was hardcoded at the domain level.
> Changed it through ADSIedit. Thank you all anyway.
>
> "Ace Fekay [MCT]" wrote:
>
>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>> news:FD4E7811-B67D-494C-8BB3-A2AB21AE7DC4@microsoft.com...
>>
>> Hi Sekhar,
>>
>> So you are saying there is a GPO at the OU level with password
>> settings. Just to reiterate, as Florian said, and as I mentioned in
>> my previous post, password settings anywhere other than at the domain
>> level on 2000 and 2003 do not work. So you might as well as remove
>> those settings at the OU level. Password policies on these operating
>> systems only work at the domain level.
>>
>> Ace
>>
>>> Hi Ace,
>>>
>>> The GPO (Default Domain Policy) that has the account lockout setting
>>> of 5
>>> is
>>> linked to the domain. The old setting was 3, and the new setting now
>>> is 5.
>>> The other policy that was set at the OU level had the account
>>> lockout
>>> setting of 3, now it has been changed to 5. This is not linked at
>>> the
>>> domain
>>> level.
>>> The accout (Domain Account) is still getting locked at 3 attempts.
>>>
>>> "Ace Fekay [MCT]" wrote:
>>>
>>>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>>>> news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@microsoft.com...
>>>>
>>>> Hi Sekhar,
>>>>
>>>> Maybe I may not be understanding what you are saying. Are you
>>>> saying the
>>>> GPO
>>>> with the 5 attempts setting is not linked at the domain level, but
>>>> rather
>>>> it
>>>> is liniked on an OU somewhere, such as where the Users OU is?
>>>> If it is on an OU, the password setting does not work. It only
>>>> works if linked at the domain level, no where else. If it is 2008,
>>>> there is a provision to make it work, but not with 2003 or older.
>>>>
>>>> Ace
>>>>
>>>>> Hi Ace,
>>>>>
>>>>> The other policy is linked at the domain level. It is at the lower
>>>>> OU
>>>>> level.
>>>>> I even changed the settings to 5 attempt. But still it locks at 3
>>>>> attempts.
>>>>> Not sure from where it pulls the count of 3.
>>>>> "Ace Fekay [MCT]" wrote:
>>>>>
>>>>>> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
>>>>>> news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@microsoft.com...
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Yes, we tested. The account gets locked at 3 attempts, and not
>>>>>>> 5.
>>>>>>> The
>>>>>>> correct default domin policy is getting applied, and it shows 5
>>>>>>> attempts.
>>>>>>> But
>>>>>>> still no luck....
>>>>>> Have you tried unlinking the additional GPO you've created at the
>>>>>> Domain
>>>>>> level, and making sure the Default Domain Policy is set to 5
>>>>>> attempts,
>>>>>> and
>>>>>> try again? If that works, that tells you it is pulling it from
>>>>>> the
>>>>>> default
>>>>>> domain. If you want to create an additional GPO with password
>>>>>> control,
>>>>>> you
>>>>>> will have to remove the settings in the Default Domain Policy and
>>>>>> not
>>>>>> change
>>>>>> the order of the GPOs at the domain level, since we would want
>>>>>> thecdefault
>>>>>> GPO to run first.
>>>>>> If that doesn't work, then there is something else going on, such
>>>>>> as
>>>>>> possible AD-client communications issues. I am assuming that none
>>>>>> of
>>>>>> the
>>>>>> machines (DC and clients) are using an external DNS server (such
>>>>>> as
>>>>>> the
>>>>>> ISP), and the DC is not multihomed (more than one NIC and/or IP
>>>>>> address).
>>>>>> -- Ace
>>>>>>
>>>>>> This posting is provided "AS-IS" with no warranties or guarantees
>>>>>> and confers no rights.
>>>>>>
>>>>>> Please reply back to the newsgroup or forum for collaboration
>>>>>> benefit
>>>>>> among
>>>>>> responding engineers, and to help others benefit from your
>>>>>> resolution.
>>>>>> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>>>>> Messaging Microsoft Certified Trainer
>>>>>>
>>>>>> For urgent issues, please contact Microsoft PSS directly. Please
>>>>>> check http://support.microsoft.com for regional support phone
>>>>>> numbers.
>>>>>>
Re: Account Lockout Threshold change - Not taking effect [message #161086 is a reply to message #161080] Tue, 15 September 2009 07:36 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:E22214BB-06E0-42D1-B771-7DBEC9813D4A@microsoft.com...
> We found the fix. The setting was hardcoded at the domain level. Changed
> it
> through ADSIedit. Thank you all anyway.
>


I'm very happy you found the problem. I would also be interested in knowing
which attribute you changed using ADSIEdit.

Thanks!

Ace
Re: Account Lockout Threshold change - Not taking effect [message #161091 is a reply to message #161086] Tue, 15 September 2009 10:01 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Yes, it is the "lockoutThreshold " value.

"Ace Fekay [MCT]" wrote:

> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> news:E22214BB-06E0-42D1-B771-7DBEC9813D4A@microsoft.com...
> > We found the fix. The setting was hardcoded at the domain level. Changed
> > it
> > through ADSIedit. Thank you all anyway.
> >
>
>
> I'm very happy you found the problem. I would also be interested in knowing
> which attribute you changed using ADSIEdit.
>
> Thanks!
>
> Ace
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161092 is a reply to message #161091] Tue, 15 September 2009 10:14 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:48C33563-99DA-4B56-8D7E-2465B4FEC0F4@microsoft.com...
> Yes, it is the "lockoutThreshold " value.
>

Thank you!

Curious, was that previously changed using ADSIEdit? Normally the GPO would
control this, unless it was changed using ADSIEdit.

Ace
Re: Account Lockout Threshold change - Not taking effect [message #161098 is a reply to message #161092] Tue, 15 September 2009 23:53 Go to previous messageGo to next message
sekhar  is currently offline sekhar
Messages: 17
Registered: September 2009
Junior Member
Not sure, we took over from different supprot vendor. There are chances they
might have changed it.

"Ace Fekay [MCT]" wrote:

> "sekhar" <sekhar@discussions.microsoft.com> wrote in message
> news:48C33563-99DA-4B56-8D7E-2465B4FEC0F4@microsoft.com...
> > Yes, it is the "lockoutThreshold " value.
> >
>
> Thank you!
>
> Curious, was that previously changed using ADSIEdit? Normally the GPO would
> control this, unless it was changed using ADSIEdit.
>
> Ace
>
>
Re: Account Lockout Threshold change - Not taking effect [message #161115 is a reply to message #161098] Wed, 16 September 2009 09:14 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sekhar" <sekhar@discussions.microsoft.com> wrote in message
news:03AD64B4-EBCA-4A29-8715-0F296CF3E319@microsoft.com...
> Not sure, we took over from different supprot vendor. There are chances
> they
> might have changed it.


I can understand taking over someone else's implementation. Glad you found
it!

Cheers!

Ace
Previous Topic:0xc00002e1
Next Topic:GROUP Policy
Goto Forum:
  


Current Time: Thu Jan 18 20:50:30 MST 2018

Total time taken to generate the page: 0.07078 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software