Re: preventing user account lockout in Active Directory


"keith chilton" <kchilton@xxxxxxxxxxx> wrote in message
news:ew6J53QaIHA.5784@xxxxxxxxxxxxxxxxxxxxxxx
This particular user is called "synserv"... It is used among 3 computers..
2 are Windows Server 2003 and one is XP Pro... "synserv" has it's password
set so that it never expires. In AD I even put "synserv" in it's own
Organizational Unit so I could give it it's own GPO. The only thing that
is configured by the GPO is "Account lockout threshold" and that is set to
0 (Which means it can not get locked out). Maybe these 2 servers are using
services using this user name "synserv" with the predefined password we
gave it that never expires.. They probably are, but we've never changed
the password and never will probably. Any ideas with this newfound
information I've presented? I appreciate the help.. By the way I just did
an experiment with the GPO settings. I am trying

"Account lockout duration" = 1 minute
"Account lockout threshold" = 999 invalid login attempts
"Reset account lockout counter after" = 1 minute

Maybe this will make it hardly ever lockout.. Every 999 failures and then
it would unlock itself after 1 minute...

--
Thanks,

Keith Chilton

In a domain environment, the account lockout policy settings must be set on
the domain controller that is authenticating the account, and thus locking
out the account. They will have no effect on the user object. Therefore,
the settings will apply to any account that the DC authenticates for.
Microsoft says that these settings should only be set in the default domain
GPO, although I think you could get away with setting it in a GPO that
applies against the domain controllers OU.

Perhaps what you should do is reset the password for the account, and then
in the services control panel for the three machines that use the account.
You could also enable auditing for account logon events (failure) on your
domain controllers. This might give you an event log entry of which
workstation (or server) is locking it out. Of course, you would have to
examine the event logs on all of the domain controllers because you don't
know which DC is locking it out.

synserv wouldn't happen to be Synergy xf Server, would it?

John R


.

Relevant Pages

  • Re: Automatically user lockout - big problem
    ... PS: What is Netlogon logging? ... Check the security logs of the domain controllers to ... By default logging of account ... > Comb can be used to scan domain computers for that account lockout event. ...
    (microsoft.public.windows.server.security)
  • Re: preventing user account lockout in Active Directory
    ... "Account lockout duration" = 1 minute ... the account lockout policy settings must be set ... setting it in a GPO that applies against the domain controllers OU. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Automatically user lockout - big problem
    ... Check the security logs of the domain controllers to ... By default logging of account ... Comb can be used to scan domain computers for that account lockout event. ...
    (microsoft.public.windows.server.security)
  • RE: 529 Logon Failures - 138 Events
    ... Enable complicated password policy is not same as using complicated ... Note: you can find the Default Domain Controllers policy here: ... Configure account lockout policy. ... The account lockout policy only effect on the user account, ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Filtering issue
    ... Default Domain Group Policy. ... Other GPO's with account settings configured ... I created a GPO for not having users locked out. ... Account lockout threshold 50 invalid logon attempts ...
    (microsoft.public.win2000.active_directory)
Loading