Re: Undo Account Lockout Policy GPO
- From: vdz <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Jul 2008 06:10:01 -0700
Hi All
What I id was that
I created a new GPO
I imported from the existing GPO, so they are identical.
Linked to our Domain
then I changed the Account Lockout Policy as follows
Account Lockout duration - Not defined
Account Lockout threshold - 0
Reset account lockout after count - Not defined.
Run GPUPDATE /FORCE
Run adfind -default -s base
Here is the new result:
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
only lockout Threshold changed accordingly, the other 2 are still the same
:( .
Thought I would let you know.
Thanks a lot for all your help and support
"vdz" wrote:
Thanks for pointing out this..
Huumm!! it does not make sense.
On the same DC (we have only one DC), the same "Default Domain Policy" (we
have only one GPO) and the same policy that I configured, now I can't change
it or reset.
I double checked if it links to right the root of Domain. it never changed.
I am stuck here, I have never come accross this issue before.
Any other suggestions would be appreciated.
"Jorge de Almeida Pinto [MVP - DS]" wrote:
this is what is defined as lockout settings on the domain NC head...
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
the following is what you HAD/HAVE (and corresponds to the values above)
Account Lockout duration - 30 minutes
Account Lockout threshold - 5 invalid logon attemps
Reset account lockout after count - 30 minutes
tthe following is what you WANT
Account Lockout duration - 2 minutes
Account Lockout threshold - 10 invalid logon attemps
Reset account lockout after count - 2 minutes
which means the GPO with the settings is not being applied, is incorrectly
linked, or whatever
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82C69725-E9D3-4DB6-8575-1FC2BCA3FDCF@xxxxxxxxxxxxxxxx
Here it is. Thank you
C:\>adfind -default -s base
AdFind V01.37.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2007
Using server: WCT-SER-00.wctaustralia.com:389
Directory: Windows Server 2003
Base DN: DC=wctaustralia,DC=com
dn:DC=wctaustralia,DC=com
objectClass: top44DF 6795 BB49 9612 8EE0 D4F1 F8C4
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=wctaustralia,DC=com
instanceType: 5
whenCreated: 20041108230221.0Z
whenChanged: 20080701175645.0Z
subRefs: DC=ForestDnsZones,DC=wctaustralia,DC=com
subRefs: DC=DomainDnsZones,DC=wctaustralia,DC=com
subRefs: CN=Configuration,DC=wctaustralia,DC=com
uSNCreated: 4098
dSASignature: 0100 0000 2800 0000 0000 0000 0000 0000 0000 0000 0000 0000
51CB
uSNChanged: 446998693DB BAF5 560F 224A 364D 0000 0000 0000 078F EFFD 0200 0000
name: wctaustralia
objectGUID: {9624DFF2-6DCC-4699-88E0-F2C7CE550F4E}
replUpToDateVector: 0200 0000 0000 0000 0100 0000 0000 0000 00AF CB15 7AE8
0845
creationTime: 127444286869218750Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
forceLogoff: 0
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -25920000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1012
pwdProperties: 0
pwdHistoryLength: 15
objectSid: S-1-5-21-198683919-2923285351-624703263
serverState: 1
uASCompat: 1
modifiedCount: 19715
auditingPolicy: 0001
nTMixedDomain: 1
rIDManagerReference: CN=RID Manager$,CN=System,DC=wctaustralia,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-
systemFlags: -1946157056stralia,DC=com
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
Quotas,DC=wctau
wellKnownObjects:Data,DC=wctaustralia,DC=com
B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Programustralia,DC=com
Data,DC=wcta
wellKnownObjects:ipals,DC=wctaustralia,DC=com
B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrinc
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deletedustralia,DC=com
Objects,DC=wctaustralia,DC=com
wellKnownObjects:
B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=wctaustralia,DC=com
wellKnownObjects:
B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=wcta
wellKnownObjects:ia,DC=com
B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=wctaustral
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=DomainC=wctaustralia,DC=com
Controllers,D
wellKnownObjects:ralia,DC=com
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=wctaust
wellKnownObjects:a,DC=com
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=wctaustrali
managedBy: CN=Administrator,CN=Users,DC=wctaustralia,DC=com
objectCategory:
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=wctaustralia,DC=com
isCriticalSystemObject: TRUE,DC=wctaustralia,DC=com;1][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=P
gPLink:
[LDAP://CN={9CACCB52-B56E-4924-8A01-DBA8DB390893},CN=Policies,CN=System
olicies,CN=System,DC=wctaustralia,DC=com;0]
gPOptions: 0e,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
masteredBy: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Site-Nam
ms-DS-MachineAccountQuota: 10e-Name,CN=Sites,CN=Configuration,DC=wctaustralia,DC=com
msDS-Behavior-Version: 0
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS
Settings,CN=WCT-SER-00,CN=Servers,CN=Default-First-Sit
dc: wctaustralia
1 Objects returned
"Jorge de Almeida Pinto [MVP - DS]" wrote:
and the result is?....
any output on adfind?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5E89D356-BE93-4547-A85A-6B710999141B@xxxxxxxxxxxxxxxx
Thank you Paul and Jorge
I did issue GPUPDATE/ FORCE on the DC with PDC FSMO.
"Jorge de Almeida Pinto [MVP - DS]" wrote:
I should be more specific....
do the GPUPDATE /FORCE on the DC with the PDC FSMO
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E3B561B-9EC3-45EC-80EB-3D069819BAA3@xxxxxxxxxxxxxxxx
Thank you Jorge.
I did issue gpudate /force and restart the server. but it still
denied
to
work :(.
I also issued the adfind command, but unfortunately it did nor
recognize
this command.
any other suggestions? thanks a lot
Cheers
"Jorge de Almeida Pinto [MVP - DS]" wrote:
when configured within the default domain GPO the GPO should be
applied
to
the DCs after max 5 minutes
do a GPUPDATE /FORCE
post the output of: adfind -default -s base
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55543FEB-321A-40EC-8172-241867042A6B@xxxxxxxxxxxxxxxx
Hi all
Sorry to bother you all again. As I reset this policy to the new
setting
10
days ago,
FROM
Account Lockout duration - 30 minutes
Account Lockout threshold - 5 invalid logon attemps
Reset account lockout after count - 30 minutes
TO
Account Lockout duration - 2 minutes
Account Lockout threshold - 10 invalid logon attemps
Reset account lockout after count - 2 minutes
- Follow-Ups:
- Re: Undo Account Lockout Policy GPO
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Undo Account Lockout Policy GPO
- References:
- Re: Undo Account Lockout Policy GPO
- From: vdz
- Re: Undo Account Lockout Policy GPO
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Undo Account Lockout Policy GPO
- From: vdz
- Re: Undo Account Lockout Policy GPO
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Undo Account Lockout Policy GPO
- From: vdz
- Re: Undo Account Lockout Policy GPO
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Undo Account Lockout Policy GPO
- From: vdz
- Re: Undo Account Lockout Policy GPO
- Prev by Date: Re: Can a group policy turn of XP firewall?
- Next by Date: Re: Authenticating Web user and domain User with ADAM
- Previous by thread: Re: Undo Account Lockout Policy GPO
- Next by thread: Re: Undo Account Lockout Policy GPO
- Index(es):
Relevant Pages
|
