Re: account lockout issues...

From: Dave Nickason [SBS MVP] (gwdibble_at_NOSPAM.frontiernet.net)
Date: 07/09/04 

Date: Fri, 9 Jul 2004 13:04:23 -0400

The fact that you can edit lockout policies in the TS box's Local Security
Policy indicates that your domain policy is not being applied to that
machine.

Are you sure the TS box is in an OU that's covered by the GP in which you're
changing the setting? If you set it in Domain Security Policy, it should
apply unless the TS is a DC, in which case you'd have to set it in the
Domain Controller Security Policy. If the domain policy is being applied to
the TS box correctly, you should not be able to edit the locout settings in
the Local Security Policy.

Three or five is too low a setting for lockout IMO. Our office is
incredibly security conscious, and we have it set to 10. For one thing, if
a kerberos login fails, the client may try an NTLM login, making a single
password error count twice. You can search support.microsoft.com for
articles about lockout. Here's one
http://support.microsoft.com/default.aspx?scid=kb;en-us;297157

There's a great white paper about this called "Account Passwords and
Policies"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx.
It's really too long to read from a web site, but if you search around you
might find a downloadable copy somewhere on the MS site. Also, if you do a
full site search of microsoft.com for "Account Passwords and Policies"
including the quotes, the results will include a lot of info about this
topic.

"Brad Pears" <donotreply@notreal.com> wrote in message
news:OS17MJdZEHA.2260@TK2MSFTNGP12.phx.gbl...
>I have a couple of question regarding the account lockout policy.
>
> 1) I had originally set a local policy on our Win2K terminal server such
> that 3 invalid logon attempts would cause an account lockout.
>
> Later on, I had applied a domain wide policy (on our SBS 2000 server) that
> set it to 5 invalid attempts.
>
> I assumed the domain policy would override any local policy but it doesn't
> seem to. If a user logs on 3 times with an incorrect password, it will
> still
> lock them out!
>
> Also becuase we have been having problems with users being locked out, I
> decided to completely eliminate the lock out. So , I disabled account
> lockouts in both the domain policy on the SBS 200 server and the local
> policy on the win2K terminal server.
>
> I am still getting accounts locking out after 3 invalid attempts.
>
> What gives? Can anyone help me?
>
> 2) Also, maybe I need a lesson on what can cause a lockout...
>
> We have a user who brings in his home laptop to copy drawings off our
> server
> so he can work from home.
>
> I configured his laptop so that he has the same drive mappings he has on
> his
> work machine. Two drive mappings point to shares on our win2K server that
> is
> part of our domain. The other mapping points to a share that is on an
> older
> NT 4 server - which is NOT part of the domain.
>
> When he logs onto his laptop, he is logging on locally - not as part of
> the
> domain. (It's winxp home edition).
>
> When I set up his shares, I configured the appropriate domain\username and
> password so it would connect. For the NT 4 share which is part of a
> workgroup (not in our domain) I configured his username and password
> excluding the domain.
>
> The problem is, as soon as he logs on and double clicks one of his mapped
> drives, it asks for his password and when he enters that, it says it has
> locked him out!!!
>
> Why would the account be locking out when I have specified the
> domain/username and passwords to use for the drive mappings? There is only
> two drive mappings that use his domain username/password. If the lockout
> was
> set to 3 invalid attempts, why is it locking out when there are only two
> mappings ???
>
> I am obviously missing something here...
>
> Thanks
>
> Brad
>
>

Relevant Pages

  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • Re: RSoP Lockout Account
    ... major part of the Domain concept is a unified and enforced security regime. ... The password policy is enforced by the computer (i.e. a domain controller ... not when the user account is authenticated by that computer. ... controllers won't have any affect on domain user accounts. ...
    (microsoft.public.win2000.group_policy)
  • Re: Problems with 529 Events
    ... Step 2: Configure account lockout policy. ... Windows Settings, double-click Security Settings, double-click Account ... The issue may occur if the remote SBS server sends broadcast ...
    (microsoft.public.windows.server.sbs)
  • Re: webservice problem system.net.webexception
    ... first check the local system policy and make sure the local system ... account is not set as a member of the guest account since the guest ... (this is under local security settings/user rights assignment), ... Test the client on the local machine, ...
    (microsoft.public.dotnet.security)
  • Re: WK2 AD Security
    ... Well the link I referred to should be a good start on account policy but ... guest account is disabled on the domain controller in AD Users and Computers ... -- Create a password policy suitable for your needs but consider enabling ... network" setting on the domain controller or in DC Security Policy. ...
    (microsoft.public.win2000.security)
Loading