TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • January 22, 2008 at 9:03 pm #2240780

    Account lockout Policy is not working

    Locked

    by ghaeedansiyamack · about 17 years, 2 months ago

    Hello,

    I have a windows 2003 server with AD managing about 150 users. I have set up 3 user OUs and 4 computer OUs. Under computer OU I have linked a GPO and in the GPO under Computer Configuration\windows settings\security settings\account policies\account lockout policy I have set the settings as follows:

    Account Lockout Duration: 30min
    Account Lockout Threshold: 3 invalid attempts
    Reset Account lockout counter after: 30min

    I have forced the policy and rebooted a few machines. I have created a test account and logged in with an incorrect password more than 3 times to a machine that is in the computer OU, but the test account never locks and the computer never prompts me that the account has been locked out. All other policies that are set in this GPO are applying, but the Account Lockout policy does not work. Can anyone please help with this issue?

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • January 22, 2008 at 9:03 pm #2666232

      Clarifications

      by ghaeedansiyamack · about 17 years, 2 months ago

      In reply to Account lockout Policy is not working

      Clarifications

    • January 23, 2008 at 1:25 am #2666192

      Methinks

      by tintoman · about 17 years, 2 months ago

      In reply to Account lockout Policy is not working

      That policy seems to apply to the local machine, therefore if you try to log on to the local machine rather than your domain my guess is that the lockout will work.
      You will have to apply the lockout policy to the user accounts I would think

    • January 23, 2008 at 2:41 am #2666168

      Apply to domain

      by ashij · about 17 years, 2 months ago

      In reply to Account lockout Policy is not working

      Hi! There,

      you have to apply the policy to the top level (Domain)

      E.g.

      yourdomain.com (This is where it should be)
      |
      |-ComputerOU1 (This is where you have the GPO)
      |- …
      |-ComputerOU4
      |- …
      |-OU4

      Also, if you want this policy to be applied only to a certain group, then you have to apply it to the User’s OU.

      Hope this works for you.

      AJ

      (edit: add extra words)

      • January 23, 2008 at 11:07 pm #2665615

        Worked like a charm

        by ghaeedansiyamack · about 17 years, 2 months ago

        In reply to Apply to domain

        Ladies and Gens,

        You guys are AWESOME. Applying the computer GPO from the computer OU to the user?s OUs made the Account Lockout policy worked like a charm.
        I just hope that the computer GPO I have linked to the user?s OU does not conflict with the original user OU policy I had set in the past.

        • January 24, 2008 at 1:59 pm #2665175

          to see the resultant policy

          by ashij · about 17 years, 2 months ago

          In reply to Worked like a charm

          The best thing to make sure that every one of the policies works fine, is to see what the resultant policy looks like. You can use the Group Policy Management console to do this. (Available from Microsoft)

          AJ

  • Author
    Replies
Viewing 2 reply threads