W
Wouter
I (or in fact, a customer of me) have a Windows 2000 Active Directory
domain divided into multiple sites. In this domain, there is a Default
Domain Security Policy active with an Account Lockout Policy. All
servers are Windows 2000 Server SP4.
This policy is set to an Account Lockout treshold of 5. This means
that an account will be locked out after 5 consecutive wrong
passwords. After 30 minutes, it will be unlocked or if you do this
manually of course. The problem is, that I can't change this Lockout
treshold of 5. As far as I know, the only place I have to change this
is in the Default Domain Security Policy so I changed the Lockout
treshold to 999 but no effect. Can wait until Christmas (even after
commands like 'secedit /refreshpolicy machine_policy /enforce' but
somehow, it won't change.
When I check it with the command 'net accounts', I get the following
info. As you can see, the lockout treshold is 5, although I configured
it to 999.
Screenshot: http://www.jw-racing.nl/public/lockout.jpg
After that, I ran gpresult.exe and got the following info:
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Controllers Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
I also checked (with gpedit.msc) the Local Group Policy and the
Default Domain Controllers Policy but they all aren't configured with
a Lockout Policy.
Then, I found this Knowledgebase article from Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
It says that this behaviour is either caused by Block Policy
Inheritance being enabled or if the password policy is not set in the
Default Domain policy. This however, is in both cases not the problem.
I don't have this Block Policy Inheritance option enabled and the
password policy IS set in my Default Domain Policy.
I'm clueless, who can help me out? Whatever I try, the account lockout
policy won't change.
Thanks a lot! If you need more info, do not hesistate to ask.
Regards,
Wouter Jorritsma
The Netherlands
domain divided into multiple sites. In this domain, there is a Default
Domain Security Policy active with an Account Lockout Policy. All
servers are Windows 2000 Server SP4.
This policy is set to an Account Lockout treshold of 5. This means
that an account will be locked out after 5 consecutive wrong
passwords. After 30 minutes, it will be unlocked or if you do this
manually of course. The problem is, that I can't change this Lockout
treshold of 5. As far as I know, the only place I have to change this
is in the Default Domain Security Policy so I changed the Lockout
treshold to 999 but no effect. Can wait until Christmas (even after
commands like 'secedit /refreshpolicy machine_policy /enforce' but
somehow, it won't change.
When I check it with the command 'net accounts', I get the following
info. As you can see, the lockout treshold is 5, although I configured
it to 999.
Screenshot: http://www.jw-racing.nl/public/lockout.jpg
After that, I ran gpresult.exe and got the following info:
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Controllers Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
I also checked (with gpedit.msc) the Local Group Policy and the
Default Domain Controllers Policy but they all aren't configured with
a Lockout Policy.
Then, I found this Knowledgebase article from Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
It says that this behaviour is either caused by Block Policy
Inheritance being enabled or if the password policy is not set in the
Default Domain policy. This however, is in both cases not the problem.
I don't have this Block Policy Inheritance option enabled and the
password policy IS set in my Default Domain Policy.
I'm clueless, who can help me out? Whatever I try, the account lockout
policy won't change.
Thanks a lot! If you need more info, do not hesistate to ask.
Regards,
Wouter Jorritsma
The Netherlands