Re: Account Lockout Threshold change - Not taking effect

---

• From: sekhar <sekhar@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 14 Sep 2009 09:39:02 -0700

---

Hi Ace,

The GPO (Default Domain Policy) that has the account lockout setting of 5 is
linked to the domain. The old setting was 3, and the new setting now is 5.

The other policy that was set at the OU level had the account lockout
setting of 3, now it has been changed to 5. This is not linked at the domain
level.

The accout (Domain Account) is still getting locked at 3 attempts.

"Ace Fekay [MCT]" wrote:

"sekhar" <sekhar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE341FDE-2DEC-474D-8178-6C6FA2F21C20@xxxxxxxxxxxxxxxx

Hi Sekhar,

Maybe I may not be understanding what you are saying. Are you saying the GPO
with the 5 attempts setting is not linked at the domain level, but rather it
is liniked on an OU somewhere, such as where the Users OU is?

If it is on an OU, the password setting does not work. It only works if
linked at the domain level, no where else. If it is 2008, there is a
provision to make it work, but not with 2003 or older.

Ace

Hi Ace,

The other policy is linked at the domain level. It is at the lower OU
level.
I even changed the settings to 5 attempt. But still it locks at 3
attempts.
Not sure from where it pulls the count of 3.

"Ace Fekay [MCT]" wrote:

"sekhar" <sekhar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3688E5DD-FC3A-46BF-928C-B1498ED8978E@xxxxxxxxxxxxxxxx

Hi,

Yes, we tested. The account gets locked at 3 attempts, and not 5. The
correct default domin policy is getting applied, and it shows 5
attempts.
But
still no luck....

Have you tried unlinking the additional GPO you've created at the Domain
level, and making sure the Default Domain Policy is set to 5 attempts,
and
try again? If that works, that tells you it is pulling it from the
default
domain. If you want to create an additional GPO with password control,
you
will have to remove the settings in the Default Domain Policy and not
change
the order of the GPOs at the domain level, since we would want
thecdefault
GPO to run first.

If that doesn't work, then there is something else going on, such as
possible AD-client communications issues. I am assuming that none of the
machines (DC and clients) are using an external DNS server (such as the
ISP), and the DC is not multihomed (more than one NIC and/or IP address).

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

.

---

• Follow-Ups:
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Ace Fekay [MCT]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Meinolf Weber [MVP-DS]

• References:
  • Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Meinolf Weber [MVP-DS]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Meinolf Weber [MVP-DS]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Florian Frommherz [MVP]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Florian Frommherz [MVP]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Ace Fekay [MCT]
  • Re: Account Lockout Threshold change - Not taking effect
    • From: sekhar
  • Re: Account Lockout Threshold change - Not taking effect
    • From: Ace Fekay [MCT]

• Prev by Date: Re: Account Lockout Threshold change - Not taking effect
• Next by Date: Re: Account Lockout Threshold change - Not taking effect
• Previous by thread: Re: Account Lockout Threshold change - Not taking effect
• Next by thread: Re: Account Lockout Threshold change - Not taking effect
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Account Lockout Threshold change - Not taking effect ... Are you saying the GPO with the 5 attempts setting is not linked at the domain level, but rather it is liniked on an OU somewhere, such as where the Users OU is? ... will have to remove the settings in the Default Domain Policy and not change ... (microsoft.public.windows.server.active_directory) Re: Account Lockout Threshold change - Not taking effect ... The setting was hardcoded at the domain level. ... So you are saying there is a GPO at the OU level with password settings. ... The GPO (Default Domain Policy) that has the account lockout setting of 5 ... (microsoft.public.windows.server.active_directory) Re: Evt ID 1085 GP client-side extension IE ZoneMapping failed to ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Default Domain Policy ... GPO: Support Staff Policy ... (microsoft.public.windows.server.active_directory) Re: GROUP POLICY ... yes, same machine, i suspect the backup DC not updated with the gpo which I ... domain policy are applied, that's by design. ... Microsoft Windows XP Operating System Group Policy Result ... Computer Setting: 3 ... (microsoft.public.windows.server.active_directory) Re: Evt ID 1085 GP client-side extension IE ZoneMapping failed to ... GPO: Default Domain Policy ... GPO: GHS-SMS-BUS WSUS Computer ... GPO: Support Staff Policy ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-09