Account lockout duration=30 minutes, however account remains locked indefinitely.

[Marlon Brown]

In Win2000SP4 root domain, Domain Security Policies I have
Account lockout duration=30 minutes
Account lockout threshold =15 invalid logon attempts
Reset account lockout counter after=30 minutes

However, when somebody gets locked out, it remains locked for several days
and account gets unlocked upon manual intervention.
I think that's the correct way anyway, otherwise somebody attempting to
discover a password would just keep trying if accounts got unlocked after 30
minutes.

However, what I don't understand is why even if the settings above are
enabled, accounts still remain locked after 30 minutes ? It seems settings
above don't work or is it my interpretation that is incorrect ?

 

[Oli Restorick [MVP]]

Where have you linked the policies? When setting these policies for the
domain, they are ignored unless they are linked at the domain level, such as
in the default domain policy.

If you apply the settings to an OU, then the policy will affect the account
policies for *local* accounts on any machines that may be located in the OU.

http://support.microsoft.com/default.aspx?scid=kb;en-us;259576

Hope this helps

Oli

 

[Steven L Umbach]

Try running net accounts on the domain controllers to see what they report
as the account lockout setting. The domain is the place to configure such a
setting. If you have more than one GPO in the domain container, the GPO at
the top of the list takes precedence and can therefore override Domain
Security Policy. The other thing that can happen is that if password/account
policy is changed while block inheritance is enabled on the domain
controllers container, the new policy will not apply. I would also verify
proper replication of Group Policies using the support tool gpotool which
will tell the sysvol and AD version of all GPO's on the domain controllers
it finds and report mismatches. --- Steve

 

[Marlon Brown]

Very interesting...
I did net accounts in my DC and it confirms:

Lockout duration (minutes):30
Lockout observation window(minutes):30

However, people still remains locked until I clear the setting manually.
Well, I guess it is a good thing that they remain locked until manual
intervention. I will see if I can troubleshoot this, but I will definitely
change the Lockout Duration (minutes)=99999

 

[Steven L Umbach]

You are not the first person to report this and I have never seen a
resolution to those that experienced such. Out of curiosity it might be
interesting to set both to twenty minutes to see if it makes a
ifference. --- Steve

 

[Rick Kingslan [MS MVP]]

Try the Account Lockout Toolset to troubleshoot these issues. You might
find that there is something very different from what you currently think is
going on.

Look here:
http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

--
Rick Kingslan CISSP, MCSE, MCSA, MCT
Microsoft MVP
Windows Server / Directory Services
Windows Security
Associate Expert
http://www.msmvps.com/willhack4food