Jump to content

account lockout duration in active directory

net_user

By net_user
in Windows 2000/2003/NT4

 Share

Recommended Posts

net_user

net_user

Posted
Posted

2000 active directory with exchange 2003

in my domain i have a password policy....

password policy -

enforce password history = 5 passwords remembered

maximum password age = 180 days

minimum password age = 1 day

passowrds must meet complexity requirements = enabled

account lockout policy -

account lockout duration = 5 min

account lockout threshold = 5 invalid logon attempts

reset account lockout counter after = 5 min

if an account gets locked out....the "reset account lockout counter after = 5 min" dosn't work...i have to go in manually in ad and unlock the account....

any clues?

post-58695-1141056905_thumb.png

Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted (edited)

1. Make sure that your lockout reset is 15 minutes or greater - we do see sometimes that when the lockout reset count is less than 10 issues can occur. It is Microsoft suggested policy to set it to 15 minutes or greater.

2. Enable the following auditing options in the domain GPO (in default domain security policy of the child domain):

a. Account Logon Events - Failure

b. Account Management - Success

c. Logon Events - Failure

3. On all domain DCs, enable Kerberos event logging according to the following KB article. The DC's will have to ALL be restarted before this starts working properly, so schedule some downtime for each DC (they do not all have to be done at once).

262177: HOW TO: Enable Kerberos Event Logging

http://support.microsoft.com/?id=262177

4. Enable netlogon log on the all domain DCs by modifying the following registry entry:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon Parameters\DBFlag

The detailed steps can be found in the following Knowledge Base article

109626: Enabling Debug Logging for the Netlogon Service

http://support.microsoft.com/?id=109626

When the account lockout issue takes place, collect the following information for further problem investigation:

1. The account name that is locked out.

2. The security log (EVT format) of the all computers that are involved with the client's lockout (the PDC, the authenticating domain controller, and the client computer that have user session). To find out the authenticating domain controller, type "Set L" (without the quotation marks) at a command prompt on the client machine.

3. The netlogon.log generated from the PDC and the authenticating domain controller.

Review that data and you should have a better idea of what is failing, and why.

Edited by cluberti
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...