Domain Account Being Unlocked

[Guest]

To Whom Can Help:

Here is the preliminary information:

Windows 2000 domain
Windows XP workstation

The situation is this.

The XP workstation was locked out of the domain account. No one had touch
it and it had showed up on the security logs as being locked out. When one
of the administrators went to check on the account in AD, the account appear
as unlocked. This is mysterious because the security logs does not show any
activity with regards to unlocking the account. Is it possible that a local
policy had overridden a domain group policy thereby unlocking the account?
Also, why wouldn't the unlocking activity not show up in the logs?

 

[Tim Hines [MSFT]]

Account lockout policies are only read from the domain level for domain
accounts so it is not possible for the local policy to affect the account
lockout settings. I'm assuming that you have configured the account lockout
duration to 0 since you don't think that the account should have unlocked
itself. Is that a correct assumptions? If the account lockout duration is
set for any value other than 0, the account will unlock itself after x
minutes. Maybe you should check this policy setting to make sure that it is
set to keep the account locked until unlocked by an admin. You should also
make sure that each DC is getting the policy. The default value is 30. You
can check each dc to see what the setting is by typing net accounts at a
command prompt.

I've never looked to see an unlock event after an account is unlocked so I'm
not completely sure if it appears. I'll have to test that out with an
account.

 

[Guest]

Thanks Tim!
--
Thank you for your help!
JYC

Account lockout policies are only read from the domain level for domain
accounts so it is not possible for the local policy to affect the account
lockout settings. I'm assuming that you have configured the account lockout
duration to 0 since you don't think that the account should have unlocked
itself. Is that a correct assumptions? If the account lockout duration is
set for any value other than 0, the account will unlock itself after x
minutes. Maybe you should check this policy setting to make sure that it is
set to keep the account locked until unlocked by an admin. You should also
make sure that each DC is getting the policy. The default value is 30. You
can check each dc to see what the setting is by typing net accounts at a
command prompt.

I've never looked to see an unlock event after an account is unlocked so I'm
not completely sure if it appears. I'll have to test that out with an
account.

 

[Tim Hines [MSFT]]

Did you get it fixed?

Thanks Tim!

 

[Guest]

I found out that there was a 24 hour lockout period in place for the security
policy after the account is locked out. I did not find out however if there
would be an indication given in the logs for the automatic unlock. It
doesn't appear to be. Is this by design? How hard would it be to find out?

 

[Joe Richards [MVP]]

It isn't done because there isn't any munge threads walking the DIT looking for
locked accounts to unlock. Basically what happens is that when a user tries to
logon, the system checks the lockouttime attribute and if it exceeds the lockout
policy the user is considered valid and allowed to log on. So there is no
"push" type automatic unlock, it is completely passive.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm