Re: Undo Account Lockout Policy GPO

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Here it is. Thank you

C:\>adfind -default -s base

AdFind V01.37.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2007

Using server: WCT-SER-00.wctaustralia.com:389
Directory: Windows Server 2003
Base DN: DC=wctaustralia,DC=com

dn:DC=wctaustralia,DC=com
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=wctaustralia,DC=com
instanceType: 5
whenCreated: 20041108230221.0Z
whenChanged: 20080701175645.0Z
subRefs: DC=ForestDnsZones,DC=wctaustralia,DC=com
subRefs: DC=DomainDnsZones,DC=wctaustralia,DC=com
subRefs: CN=Configuration,DC=wctaustralia,DC=com
uSNCreated: 4098
dSASignature: 0100 0000 2800 0000 0000 0000 0000 0000 0000 0000 0000 0000 51CB
44DF 6795 BB49 9612 8EE0 D4F1 F8C4
uSNChanged: 4469986
name: wctaustralia
objectGUID: {9624DFF2-6DCC-4699-88E0-F2C7CE550F4E}
replUpToDateVector: 0200 0000 0000 0000 0100 0000 0000 0000 00AF CB15 7AE8 0845
93DB BAF5 560F 224A 364D 0000 0000 0000 078F EFFD 0200 0000
creationTime: 127444286869218750
forceLogoff: 0
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -25920000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1012
pwdProperties: 0
pwdHistoryLength: 15
objectSid: S-1-5-21-198683919-2923285351-624703263
serverState: 1
uASCompat: 1
modifiedCount: 19715
auditingPolicy: 0001
nTMixedDomain: 1
rIDManagerReference: CN=RID Manager$,CN=System,DC=wctaustralia,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=wctau
stralia,DC=com
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program
Data,DC=wctaustralia,DC=com
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=wcta
ustralia,DC=com
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrinc
ipals,DC=wctaustralia,DC=com
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=wctaustralia,DC=com
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=wctaustralia,DC=com
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=wcta
ustralia,DC=com
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=wctaustral
ia,DC=com
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,D
C=wctaustralia,DC=com
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=wctaust
ralia,DC=com
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=wctaustrali
a,DC=com
managedBy: CN=Administrator,CN=Users,DC=wctaustralia,DC=com
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=wctaustralia,DC=com

isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={9CACCB52-B56E-4924-8A01-DBA8DB390893},CN=Policies,CN=System
,DC=wctaustralia,DC=com;1][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=P
olicies,CN=System,DC=wctaustralia,DC=com;0]
gPOptions: 0
masteredBy: CN=NTDS Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 0
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
dc: wctaustralia


1 Objects returned


"Jorge de Almeida Pinto [MVP - DS]" wrote:

and the result is?....

any output on adfind?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5E89D356-BE93-4547-A85A-6B710999141B@xxxxxxxxxxxxxxxx

Thank you Paul and Jorge

I did issue GPUPDATE/ FORCE on the DC with PDC FSMO.



"Jorge de Almeida Pinto [MVP - DS]" wrote:

I should be more specific....

do the GPUPDATE /FORCE on the DC with the PDC FSMO

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E3B561B-9EC3-45EC-80EB-3D069819BAA3@xxxxxxxxxxxxxxxx
Thank you Jorge.
I did issue gpudate /force and restart the server. but it still denied
to
work :(.
I also issued the adfind command, but unfortunately it did nor
recognize
this command.

any other suggestions? thanks a lot

Cheers

"Jorge de Almeida Pinto [MVP - DS]" wrote:

when configured within the default domain GPO the GPO should be
applied
to
the DCs after max 5 minutes

do a GPUPDATE /FORCE

post the output of: adfind -default -s base

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55543FEB-321A-40EC-8172-241867042A6B@xxxxxxxxxxxxxxxx
Hi all

Sorry to bother you all again. As I reset this policy to the new
setting
10
days ago,

FROM

Account Lockout duration - 30 minutes
Account Lockout threshold - 5 invalid logon attemps
Reset account lockout after count - 30 minutes

TO

Account Lockout duration - 2 minutes
Account Lockout threshold - 10 invalid logon attemps
Reset account lockout after count - 2 minutes

But it does not take effect at all. Or should I wait a bit longer?.
Please
adivise

Thank you very much

Cheers









.

Relevant Pages

  • Re: Undo Account Lockout Policy GPO
    ... do the GPUPDATE /FORCE on the DC with the PDC FSMO ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... > Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... I want to see if the PWD settings are indeed applied to the domain NC head where the info is actually stored! ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... Account Lockout threshold - 5 invalid logon attemps ... Reset account lockout after count - 30 minutes ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... do the GPUPDATE /FORCE on the DC with the PDC FSMO ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... lockOutObservationWindow: -18000000000 ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... objectClass: domainDNS ...
    (microsoft.public.windows.server.active_directory)