Re: Undo Account Lockout Policy GPO

Thanks for pointing out this.
Huumm!! it does not make sense.
On the same DC (we have only one DC), the same "Default Domain Policy" (we
have only one GPO) and the same policy that I configured, now I can't change
it or reset.
I double checked if it links to right the root of Domain. it never changed.

I am stuck here, I have never come accross this issue before.

Any other suggestions would be appreciated.





"Jorge de Almeida Pinto [MVP - DS]" wrote:

this is what is defined as lockout settings on the domain NC head...

lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5

the following is what you HAD/HAVE (and corresponds to the values above)
Account Lockout duration - 30 minutes
Account Lockout threshold - 5 invalid logon attemps
Reset account lockout after count - 30 minutes


tthe following is what you WANT
Account Lockout duration - 2 minutes
Account Lockout threshold - 10 invalid logon attemps
Reset account lockout after count - 2 minutes

which means the GPO with the settings is not being applied, is incorrectly
linked, or whatever

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82C69725-E9D3-4DB6-8575-1FC2BCA3FDCF@xxxxxxxxxxxxxxxx
Here it is. Thank you

C:\>adfind -default -s base

AdFind V01.37.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2007

Using server: WCT-SER-00.wctaustralia.com:389
Directory: Windows Server 2003
Base DN: DC=wctaustralia,DC=com

dn:DC=wctaustralia,DC=com
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=wctaustralia,DC=com
instanceType: 5
whenCreated: 20041108230221.0Z
whenChanged: 20080701175645.0Z
subRefs: DC=ForestDnsZones,DC=wctaustralia,DC=com
subRefs: DC=DomainDnsZones,DC=wctaustralia,DC=com
subRefs: CN=Configuration,DC=wctaustralia,DC=com
uSNCreated: 4098
dSASignature: 0100 0000 2800 0000 0000 0000 0000 0000 0000 0000 0000 0000
51CB
44DF 6795 BB49 9612 8EE0 D4F1 F8C4
uSNChanged: 4469986
name: wctaustralia
objectGUID: {9624DFF2-6DCC-4699-88E0-F2C7CE550F4E}
replUpToDateVector: 0200 0000 0000 0000 0100 0000 0000 0000 00AF CB15 7AE8
0845
93DB BAF5 560F 224A 364D 0000 0000 0000 078F EFFD 0200 0000
creationTime: 127444286869218750
forceLogoff: 0
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -25920000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1012
pwdProperties: 0
pwdHistoryLength: 15
objectSid: S-1-5-21-198683919-2923285351-624703263
serverState: 1
uASCompat: 1
modifiedCount: 19715
auditingPolicy: 0001
nTMixedDomain: 1
rIDManagerReference: CN=RID Manager$,CN=System,DC=wctaustralia,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
Quotas,DC=wctau
stralia,DC=com
wellKnownObjects:
B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program
Data,DC=wctaustralia,DC=com
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program
Data,DC=wcta
ustralia,DC=com
wellKnownObjects:
B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrinc
ipals,DC=wctaustralia,DC=com
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
Objects,DC=wctaustralia,DC=com
wellKnownObjects:
B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=wctaustralia,DC=com
wellKnownObjects:
B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=wcta
ustralia,DC=com
wellKnownObjects:
B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=wctaustral
ia,DC=com
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain
Controllers,D
C=wctaustralia,DC=com
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=wctaust
ralia,DC=com
wellKnownObjects:
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=wctaustrali
a,DC=com
managedBy: CN=Administrator,CN=Users,DC=wctaustralia,DC=com
objectCategory:
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=wctaustralia,DC=com

isCriticalSystemObject: TRUE
gPLink:
[LDAP://CN={9CACCB52-B56E-4924-8A01-DBA8DB390893},CN=Policies,CN=System
,DC=wctaustralia,DC=com;1][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=P
olicies,CN=System,DC=wctaustralia,DC=com;0]
gPOptions: 0
masteredBy: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 0
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
dc: wctaustralia


1 Objects returned


"Jorge de Almeida Pinto [MVP - DS]" wrote:

and the result is?....

any output on adfind?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5E89D356-BE93-4547-A85A-6B710999141B@xxxxxxxxxxxxxxxx

Thank you Paul and Jorge

I did issue GPUPDATE/ FORCE on the DC with PDC FSMO.



"Jorge de Almeida Pinto [MVP - DS]" wrote:

I should be more specific....

do the GPUPDATE /FORCE on the DC with the PDC FSMO

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E3B561B-9EC3-45EC-80EB-3D069819BAA3@xxxxxxxxxxxxxxxx
Thank you Jorge.
I did issue gpudate /force and restart the server. but it still
denied
to
work :(.
I also issued the adfind command, but unfortunately it did nor
recognize
this command.

any other suggestions? thanks a lot

Cheers

"Jorge de Almeida Pinto [MVP - DS]" wrote:

when configured within the default domain GPO the GPO should be
applied
to
the DCs after max 5 minutes

do a GPUPDATE /FORCE

post the output of: adfind -default -s base

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#

BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55543FEB-321A-40EC-8172-241867042A6B@xxxxxxxxxxxxxxxx
Hi all

Sorry to bother you all again. As I reset this policy to the new
setting
10
days ago,

FROM

Account Lockout duration - 30 minutes
Account Lockout threshold - 5 invalid logon attemps
Reset account lockout after count - 30 minutes

TO

Account Lockout duration - 2 minutes
Account Lockout threshold - 10 invalid logon attemps
Reset account lockout after count - 2 minutes

But it does not take effect at all. Or should I wait a bit
longer?.
Please
adivise

Thank you very much

Cheers








.

Relevant Pages

  • Re: Undo Account Lockout Policy GPO
    ... objectClass: domainDNS ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... do the GPUPDATE /FORCE on the DC with the PDC FSMO ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... > Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... I want to see if the PWD settings are indeed applied to the domain NC head where the info is actually stored! ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... do the GPUPDATE /FORCE on the DC with the PDC FSMO ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... Account Lockout threshold - 5 invalid logon attemps ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undo Account Lockout Policy GPO
    ... Account Lockout duration - Not defined ... Reset account lockout after count - Not defined. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
Loading