Re: active directory group locked
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 04 Jul 2006 11:57:12 -0400
Accounts don't just lock, there is a reason, you simply don't know what it is. Kick up auditing of bad auth and start chasing through your DC event logs. If you look at the badpwdcount attribute on each DC, you should see which DC is fielding the bad attempts. Note that the PDC should be seeing the most bads as all bad's should be redirected to it.
Also note that 5 is ridiculously low for a lockout policy. Many interactive logon attempts will generate 3 bad auth attempts with a single interactive user logon attempt.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
arrell@xxxxxxxxx wrote:
hi,.
We in our company facing a problem of locked user accounts without a
known reason, we have a group policy if the user attempts wrong
password for more than 5 times it should have been locked and its
working with it fine, but there isnt any reason for locking accounts
without any reason. Please assist in this regard.
thanx
ArrEll
- Prev by Date: Re: Problem deleting a computer from AD
- Next by Date: Re: Delegate Control?
- Previous by thread: Re: AD administration user groups
- Next by thread: Re: Delegate Control?
- Index(es):
Relevant Pages
|
