Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Account lock out threshold
Account lock out threshold [message #404039] Wed, 03 March 2010 09:56 Go to next message
Sawyer  is currently offline Sawyer  United States
Messages: 315
Registered: July 2009
Senior Member
Hello all

I am running in a native 2003 DFL and FFL, all DC's are DNS servers and are
also all running windows 2008 sp1. We have 4 AD sites there are two DC's in
each site. We recently implemented an account lockout policy for the domain,
and we set the threshold to 5 failed log on attempts would lock the account
out. We noticed that a lot of accounts were getting locked out, more than
would appear to be normal. On average we would see roughly 10 user accounts
getting locked out per day, we have roughly 600 users. This to me sounds
high. As a test I raised the account lockout threshold from 5 to 10 and
after making this change we noticed much fewer accounts getting locked out,
on average we say 3 as compared to 10, when the threshold was set to 5.

What I am trying to figure out is do we really have that many users who cant
type in there password correctly, or is there something wrong in AD that is
causing the accounts to locked? My theory is if there was a problem in AD
(say AD replication occurring to slowly) or AD just wasn't accepting the
users password then it wouldn't make a difference raising the account
lockout threshold from 5 to 10 and we would have seen the same number of
accounts getting locked out. Does this sound correct? Again raising the
threshold from 5 to 10 makes a noticeable difference in the number of user
accounts getting locked out.

Thanks
Re: Account lock out threshold [message #404092 is a reply to message #404039] Wed, 03 March 2010 10:57 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Sawyer,

I don't know what you see as "normal". But, even if i sometimes think i am
an experienced user:-), sometimes need multiple attempts to type the correct
password and also have locked myself.

And we have one network where the threshold is set to 3, there we have each
day some users locking themself. 3-5 is seen from Microsoft as too low:
"Administrators often set this value too low (3 through 5), which causes
a large number of account lockouts because of user error, program caching
by service accounts, or issues with networking clients."

Well, when setting the threshold to 10 and even then users are locked, maybe
somebody is trying to logon with another user account to see if it is possible
to hack the password?

Are the users informed about the new/changed policy before you did it?

The change from the account lockout policy will be replicated immediately
in the SAME site with the so called "Urgent replication":
Urgent replication ensures that critical directory changes are immediately
replicated, including account lockouts, changes in the account lockout policy,
changes in the domain password policy, and changes to the password on a domain
controller account. With urgent replication, an update notification is sent
out immediately, regardless of the notification delay. This design allows
other domain controllers to immediately request and receive the critical
updates.

Urgent replication doesn't run by default to other sites, this has to be
enabled manual with enabling change notifications, so the remote sites gets
them also.

Also see:
http://technet.microsoft.com/en-us/library/cc775412(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello all
>
> I am running in a native 2003 DFL and FFL, all DC's are DNS servers
> and are also all running windows 2008 sp1. We have 4 AD sites there
> are two DC's in each site. We recently implemented an account lockout
> policy for the domain, and we set the threshold to 5 failed log on
> attempts would lock the account out. We noticed that a lot of accounts
> were getting locked out, more than would appear to be normal. On
> average we would see roughly 10 user accounts getting locked out per
> day, we have roughly 600 users. This to me sounds high. As a test I
> raised the account lockout threshold from 5 to 10 and after making
> this change we noticed much fewer accounts getting locked out, on
> average we say 3 as compared to 10, when the threshold was set to 5.
>
> What I am trying to figure out is do we really have that many users
> who cant type in there password correctly, or is there something wrong
> in AD that is causing the accounts to locked? My theory is if there
> was a problem in AD (say AD replication occurring to slowly) or AD
> just wasn't accepting the users password then it wouldn't make a
> difference raising the account lockout threshold from 5 to 10 and we
> would have seen the same number of accounts getting locked out. Does
> this sound correct? Again raising the threshold from 5 to 10 makes a
> noticeable difference in the number of user accounts getting locked
> out.
>
> Thanks
>
Re: Account lock out threshold [message #404101 is a reply to message #404039] Wed, 03 March 2010 11:03 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
That Sounds familiar for many other experiences :)
You should not go beyond 10...

Be cautious when defining account lockout policy.
Account lockout policy should not be applied haphazardly. While you increase
the probability of thwarting an unauthorized attack on your organization
with account lockout policy, you can also unintentionally lock out
authorized users, which can be quite costly for your organization.

If you decide to apply account lockout policy, set the Account lockout
threshold policy setting to a high enough number that authorized users are
not locked out of their user accounts simply because they mistype a
password.

Authorized users can be locked out if they change their passwords on one
computer, but not on another computer. The computer that is still using the
old password will continuously attempt to authenticate the user with the
wrong password, and it will eventually lock out the user account. This might
be a costly consequence of defining account lockout policy, because the
authorized users cannot access network resources until their accounts are
restored. This issue does not exist for organizations that only use domain
controllers that are running Windows Server 2003 family operating systems.

http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"sawyer" <occompguy@cox.net> wrote in message
news:OizWtJvuKHA.4636@TK2MSFTNGP06.phx.gbl...
> Hello all
>
> I am running in a native 2003 DFL and FFL, all DC's are DNS servers and
> are also all running windows 2008 sp1. We have 4 AD sites there are two
> DC's in each site. We recently implemented an account lockout policy for
> the domain, and we set the threshold to 5 failed log on attempts would
> lock the account out. We noticed that a lot of accounts were getting
> locked out, more than would appear to be normal. On average we would see
> roughly 10 user accounts getting locked out per day, we have roughly 600
> users. This to me sounds high. As a test I raised the account lockout
> threshold from 5 to 10 and after making this change we noticed much fewer
> accounts getting locked out, on average we say 3 as compared to 10, when
> the threshold was set to 5.
>
> What I am trying to figure out is do we really have that many users who
> cant type in there password correctly, or is there something wrong in AD
> that is causing the accounts to locked? My theory is if there was a
> problem in AD (say AD replication occurring to slowly) or AD just wasn't
> accepting the users password then it wouldn't make a difference raising
> the account lockout threshold from 5 to 10 and we would have seen the same
> number of accounts getting locked out. Does this sound correct? Again
> raising the threshold from 5 to 10 makes a noticeable difference in the
> number of user accounts getting locked out.
>
> Thanks
Re: Account lock out threshold [message #404134 is a reply to message #404092] Wed, 03 March 2010 11:30 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer  United States
Messages: 315
Registered: July 2009
Senior Member
Thanks for the post. The link that you provided does that also work when all
DC's are running Windows 2008?

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911de28f8cc891a7f6d233b@msnews.microsoft.com...
> Hello Sawyer,
>
> I don't know what you see as "normal". But, even if i sometimes think i am
> an experienced user:-), sometimes need multiple attempts to type the
> correct password and also have locked myself.
>
> And we have one network where the threshold is set to 3, there we have
> each day some users locking themself. 3-5 is seen from Microsoft as too
> low:
> "Administrators often set this value too low (3 through 5), which causes a
> large number of account lockouts because of user error, program caching by
> service accounts, or issues with networking clients."
>
> Well, when setting the threshold to 10 and even then users are locked,
> maybe somebody is trying to logon with another user account to see if it
> is possible to hack the password?
>
> Are the users informed about the new/changed policy before you did it?
> The change from the account lockout policy will be replicated immediately
> in the SAME site with the so called "Urgent replication":
> Urgent replication ensures that critical directory changes are immediately
> replicated, including account lockouts, changes in the account lockout
> policy, changes in the domain password policy, and changes to the password
> on a domain controller account. With urgent replication, an update
> notification is sent out immediately, regardless of the notification
> delay. This design allows other domain controllers to immediately request
> and receive the critical updates.
>
> Urgent replication doesn't run by default to other sites, this has to be
> enabled manual with enabling change notifications, so the remote sites
> gets them also.
>
> Also see:
> http://technet.microsoft.com/en-us/library/cc775412(WS.10).aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello all
>>
>> I am running in a native 2003 DFL and FFL, all DC's are DNS servers
>> and are also all running windows 2008 sp1. We have 4 AD sites there
>> are two DC's in each site. We recently implemented an account lockout
>> policy for the domain, and we set the threshold to 5 failed log on
>> attempts would lock the account out. We noticed that a lot of accounts
>> were getting locked out, more than would appear to be normal. On
>> average we would see roughly 10 user accounts getting locked out per
>> day, we have roughly 600 users. This to me sounds high. As a test I
>> raised the account lockout threshold from 5 to 10 and after making
>> this change we noticed much fewer accounts getting locked out, on
>> average we say 3 as compared to 10, when the threshold was set to 5.
>>
>> What I am trying to figure out is do we really have that many users
>> who cant type in there password correctly, or is there something wrong
>> in AD that is causing the accounts to locked? My theory is if there
>> was a problem in AD (say AD replication occurring to slowly) or AD
>> just wasn't accepting the users password then it wouldn't make a
>> difference raising the account lockout threshold from 5 to 10 and we
>> would have seen the same number of accounts getting locked out. Does
>> this sound correct? Again raising the threshold from 5 to 10 makes a
>> noticeable difference in the number of user accounts getting locked
>> out.
>>
>> Thanks
>>
>
>
Re: Account lock out threshold [message #404147 is a reply to message #404134] Wed, 03 March 2010 12:05 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Sawyer,

There is no change as far as i know between Windows server 2003 to Windows
server 2008 or higher.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the post. The link that you provided does that also work
> when all DC's are running Windows 2008?
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911de28f8cc891a7f6d233b@msnews.microsoft.com...
>
>> Hello Sawyer,
>>
>> I don't know what you see as "normal". But, even if i sometimes think
>> i am an experienced user:-), sometimes need multiple attempts to type
>> the correct password and also have locked myself.
>>
>> And we have one network where the threshold is set to 3, there we
>> have
>> each day some users locking themself. 3-5 is seen from Microsoft as
>> too
>> low:
>> "Administrators often set this value too low (3 through 5), which
>> causes a
>> large number of account lockouts because of user error, program
>> caching by
>> service accounts, or issues with networking clients."
>> Well, when setting the threshold to 10 and even then users are
>> locked, maybe somebody is trying to logon with another user account
>> to see if it is possible to hack the password?
>>
>> Are the users informed about the new/changed policy before you did
>> it?
>> The change from the account lockout policy will be replicated
>> immediately
>> in the SAME site with the so called "Urgent replication":
>> Urgent replication ensures that critical directory changes are
>> immediately
>> replicated, including account lockouts, changes in the account
>> lockout
>> policy, changes in the domain password policy, and changes to the
>> password
>> on a domain controller account. With urgent replication, an update
>> notification is sent out immediately, regardless of the notification
>> delay. This design allows other domain controllers to immediately
>> request
>> and receive the critical updates.
>> Urgent replication doesn't run by default to other sites, this has to
>> be enabled manual with enabling change notifications, so the remote
>> sites gets them also.
>>
>> Also see:
>> http://technet.microsoft.com/en-us/library/cc775412(WS.10).aspx
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello all
>>>
>>> I am running in a native 2003 DFL and FFL, all DC's are DNS servers
>>> and are also all running windows 2008 sp1. We have 4 AD sites there
>>> are two DC's in each site. We recently implemented an account
>>> lockout policy for the domain, and we set the threshold to 5 failed
>>> log on attempts would lock the account out. We noticed that a lot of
>>> accounts were getting locked out, more than would appear to be
>>> normal. On average we would see roughly 10 user accounts getting
>>> locked out per day, we have roughly 600 users. This to me sounds
>>> high. As a test I raised the account lockout threshold from 5 to 10
>>> and after making this change we noticed much fewer accounts getting
>>> locked out, on average we say 3 as compared to 10, when the
>>> threshold was set to 5.
>>>
>>> What I am trying to figure out is do we really have that many users
>>> who cant type in there password correctly, or is there something
>>> wrong in AD that is causing the accounts to locked? My theory is if
>>> there was a problem in AD (say AD replication occurring to slowly)
>>> or AD just wasn't accepting the users password then it wouldn't make
>>> a difference raising the account lockout threshold from 5 to 10 and
>>> we would have seen the same number of accounts getting locked out.
>>> Does this sound correct? Again raising the threshold from 5 to 10
>>> makes a noticeable difference in the number of user accounts getting
>>> locked out.
>>>
>>> Thanks
>>>
Re: Account lock out threshold [message #404164 is a reply to message #404134] Wed, 03 March 2010 12:20 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message news:%23U0JR%23vuKHA.3536@TK2MSFTNGP06.phx.gbl...
> Thanks for the post. The link that you provided does that also work when all
> DC's are running Windows 2008?
>


Are any of those accounts being used elsewhere, such as for a service, or even if you have IIS with ftp running?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Previous Topic:How To Recover Domain Controller
Next Topic:DSMOD from batch and text file
Goto Forum:
  


Current Time: Tue Jan 23 16:33:03 MST 2018

Total time taken to generate the page: 0.27551 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software