net_user Posted February 27, 2006 Share Posted February 27, 2006 2000 active directory with exchange 2003in my domain i have a password policy....password policy - enforce password history = 5 passwords rememberedmaximum password age = 180 daysminimum password age = 1 daypassowrds must meet complexity requirements = enabledaccount lockout policy -account lockout duration = 5 minaccount lockout threshold = 5 invalid logon attemptsreset account lockout counter after = 5 minif an account gets locked out....the "reset account lockout counter after = 5 min" dosn't work...i have to go in manually in ad and unlock the account....any clues? Link to comment Share on other sites More sharing options...
cluberti Posted February 27, 2006 Share Posted February 27, 2006 (edited) 1. Make sure that your lockout reset is 15 minutes or greater - we do see sometimes that when the lockout reset count is less than 10 issues can occur. It is Microsoft suggested policy to set it to 15 minutes or greater.2. Enable the following auditing options in the domain GPO (in default domain security policy of the child domain):a. Account Logon Events - Failureb. Account Management - Successc. Logon Events - Failure3. On all domain DCs, enable Kerberos event logging according to the following KB article. The DC's will have to ALL be restarted before this starts working properly, so schedule some downtime for each DC (they do not all have to be done at once).262177: HOW TO: Enable Kerberos Event Logginghttp://support.microsoft.com/?id=2621774. Enable netlogon log on the all domain DCs by modifying the following registry entry:Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon Parameters\DBFlagThe detailed steps can be found in the following Knowledge Base article 109626: Enabling Debug Logging for the Netlogon Servicehttp://support.microsoft.com/?id=109626When the account lockout issue takes place, collect the following information for further problem investigation:1. The account name that is locked out. 2. The security log (EVT format) of the all computers that are involved with the client's lockout (the PDC, the authenticating domain controller, and the client computer that have user session). To find out the authenticating domain controller, type "Set L" (without the quotation marks) at a command prompt on the client machine.3. The netlogon.log generated from the PDC and the authenticating domain controller.Review that data and you should have a better idea of what is failing, and why. Edited February 27, 2006 by cluberti Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now