Password lockout policy not effective

[Otis]

We have two domains. One Windows NT and the other 2K AD.
We have placed one Exchange 2000 Server in the AD domain.

All users access their e-mail via Outlook 2002. Each user
logs unto the network in the NT domain, but provides
credentials to access their email in the AD domain.

Everything works great. However, if any user types their
password wrong once, their AD account is locked out. Even
though my lockout policy is set for 3 invalid attempts
before anyone is locked out. Upon further examination
audit logs show multiple logon attempts within a time span
of 2 - 3 seconds.

This is a real headache for me. Any help will be greatly
appreciated.

 

[Craig]

Otis,

Set your Account Lockout threshold to a higher number than
the default. I recommend 10-15. Outlook is notorious for
using multiple authentication methods in a very short time
(seconds). If the wrong password is cached it explains
your behaviour. Also make sure your DC's and clients are
at least SP3. I have included a webcast from Joe Vasil at
Microsoft that goes over Acct Lockout scenarios and why
the higher threshold is not considered as a security risk
(assuming your are using strong passwords )

Craig

http://support.microsoft.com/servicedesks/webcasts/en/wc022
703/WC022703.ppt

http://support.microsoft.com/default.aspx?scid=kb;en-
us;276541

http://support.microsoft.com/default.aspx?scid=kb;EN-
US;267879

 

[Joe Richards [MVP]]

3 is way to small for al ockout policy. MS Software will try multiple methods to authenticate a user even if the user
only types the password once. I would recommend 15 or higher.