Re: Reset account lockout counter after

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Note that while the value is int8, there is no guarantee what the results will be internally to AD, there could be some hard limit. If I get a chance I will go poke around and see if I can find out the next time I am playing in the source. Best you test it...

Also note that bad attempts are cleared once you have a successful logon.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Richard Mueller wrote:
Ryan Sanders wrote:

After reading this I am unclear on what to set this value to in order to accomplish my task.

http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true

I want to remember invalid login attempts forever, meaning if you ever put in 3 invalid password over a period of 3 years your account is locked. Sounds extreme I know, and I suspect this will change but for now I need to know if/how this can be done.

99,999 minutes which is the max value is only about 69 days.

The Group Policy Editor GUI restricts this setting to 99,999 minutes. The corresponding lockoutObservationWindow attribute of the domain object is Integer8. This means it is a 64-bit number representing 100-nanosecond intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000 for the lockoutObservationWindow attribute (the value is always negative). You can check this with ADSI Edit. In truth, this is a small value for an Integer8 attribute. The value can range from -2^63 to 2^63 - 1. The attribute won't overflow until about -9.2 * 10^18, which corresponds to over 29,000 years.

Being conservative, I used ADSI Edit to alter the value of the locktoutObservationWindow attribute for my domain to -32,000,000,000,000,000 (without the commas of course). This corresponds to just over 101 years. You can select a larger value if you desire. As far as I can tell, there is no problem doing this. Of course, I won't be able to verify the setting for some time.

ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000 Server CD.

.

Relevant Pages

  • Re: Reset account lockout counter after
    ... The corresponding lockoutObservationWindow attribute of the domain object is Integer8. ... 99,999 minutes corresponds to a value of -59,999,400,000,000 for the lockoutObservationWindow attribute. ... You can check this with ADSI Edit. ... ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000 Server CD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reset account lockout counter after
    ... You can check this with ADSI Edit. ... corresponds to over 29,000 years. ... ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reset account lockout counter after
    ... I have seen accountExpires equal to 2^63 -1, ... Joe Richards Microsoft MVP Windows Server Directory Services ... You can check this with ADSI Edit. ... corresponds to over 29,000 years. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reset account lockout counter after
    ... I want to remember invalid login attempts forever, ... I used ADSI Edit to alter the value of the ... This corresponds to just over 101 years. ... ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000 ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to turn off Antialiasing in 1.6?
    ... This is generally is a question from users of KDE or Windows 2000 who would like to use LCD subpixel text. ... o "false" corresponds to disabling font smoothing on the desktop. ...
    (comp.lang.java.gui)