Re: Account should be locked out.....but isn't!
"Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
news:8FB35C4E-6A4A-43D2-825C-7ADB40BFD81E@microsoft.com...
> Update -- I have found an event which indicates that Group Policy
> processing
> was aborted as the domain could not be contacted due to invalid
> credentials
> being supplied. I guess that if the GP relies on authenticated connection
> to
> the domain, and the wrong password is supplied for the user; then group
> policies will not be applied and the failed logons would not trip the
> lockout
> threahold - can anyone confirm that this is the case?
>
I cannot confirm that is / is not the case, but it is highly improbable.
Account policies are set domain-wide, by the domain controllers.
Access to the GPO at the client login station would not prevent the
domain controllers from "knowing" the current account policies.
However, account lockout is dependent on communications between
DCs with the PDC FSMO which does the actual locking. All the same,
as only this account is noticed as not locking, or at least as others are
known to be locking as expected, I think one needs to look further for
the cause. From what you stated, that the domain could not be contacted
I take it that you are looking at security event logs on the member rather
than on the domain controllers ? If so, then lockout is not happening as
no one is telling the PDC FSMO to bump the count of invalid login
attempts.
> "Qu33n Bee" wrote:
>
>> Yes, I have confirmed that there are no GPOs other than the default
>> domain
>> policy that contain configuration settings for account lockout.
>>
>> The account is not the built-in Admin account, but a user account which
>> is a
>> member of the Domain Admins group. Other members of the same group with
>> the
>> same account configuration have been locked out due to incorrect password
>> entry, so it is a mystery why this account remains unlocked after so many
>> logon failures
>>
>> "Roger Abell [MVP]" wrote:
>>
>> >
>> > "Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
>> > news:AA92B332-4F0C-40C0-BC9E-E57E3C5D9ED0@microsoft.com...
>> > > Hi
>> > > I am security auditor for a Windows 2003/2000 mixed-mode domain.
>> > > Client
>> > > workstations are XP SP2, and all domain controllers are 2003 server.
>> > > The
>> > > default domain group policy defines the account lockout policy at a
>> > > threshold
>> > > of 6 failed logons.
>> > > Recently I have noticed a large number of failed logons for a user
>> > > who has
>> > > Domain Admins membership. With 1154 failures in 2 days, I would have
>> > > expected
>> > > the account to have been locked out but it isn't. The failures are
>> > > all
>> > > 529/Type 3. I have checked for settings that block inheritance of the
>> > > default
>> > > domain policy but there are none. How can the account have failed
>> > > logon so
>> > > many times and not triggered the lockout?
>> >
>> > So I will assume your check also confirmed that the setting is not
>> > being defined in a higher priority (than the default domain GPO)
>> > GPO linked to the domain.
>> > Is the account the built-in Administrator (possibly renamed)?
>> >
>> > Roger
>> >
>> >
>> >