account lockout issues...

TheMSsForum.com: The Microsoft Software Forum

I have a couple of question regarding the account lockout policy.

1) I had originally set a local policy on our Win2K terminal server such
that 3 invalid logon attempts would cause an account lockout.

Later on, I had applied a domain wide policy (on our SBS 2000 server) that
set it to 5 invalid attempts.

I assumed the domain policy would override any local policy but it doesn't
seem to. If a user logs on 3 times with an incorrect password, it will still
lock them out!

Also becuase we have been having problems with users being locked out, I
decided to completely eliminate the lock out. So , I disabled account
lockouts in both the domain policy on the SBS 200 server and the local
policy on the win2K terminal server.

I am still getting accounts locking out after 3 invalid attempts.

What gives? Can anyone help me?

2) Also, maybe I need a lesson on what can cause a lockout...

We have a user who brings in his home laptop to copy drawings off our server
so he can work from home.

I configured his laptop so that he has the same drive mappings he has on his
work machine. Two drive mappings point to shares on our win2K server that is
part of our domain. The other mapping points to a share that is on an older
NT 4 server - which is NOT part of the domain.

When he logs onto his laptop, he is logging on locally - not as part of the
domain. (It's winxp home edition).

When I set up his shares, I configured the appropriate domain\username and
password so it would connect. For the NT 4 share which is part of a
workgroup (not in our domain) I configured his username and password
excluding the domain.

The problem is, as soon as he logs on and double clicks one of his mapped
drives, it asks for his password and when he enters that, it says it has
locked him out!!!

Why would the account be locking out when I have specified the
domain/username and passwords to use for the drive mappings? There is only
two drive mappings that use his domain username/password. If the lockout was
set to 3 invalid attempts, why is it locking out when there are only two
mappings ???

I am obviously missing something here...

Thanks

Brad
Top

Re: account lockout issues... by Dave

Dave
Fri Jul 09 12:04:23 CDT 2004

The fact that you can edit lockout policies in the TS box's Local Security
Policy indicates that your domain policy is not being applied to that
machine.

Are you sure the TS box is in an OU that's covered by the GP in which you're
changing the setting? If you set it in Domain Security Policy, it should
apply unless the TS is a DC, in which case you'd have to set it in the
Domain Controller Security Policy. If the domain policy is being applied to
the TS box correctly, you should not be able to edit the locout settings in
the Local Security Policy.

Three or five is too low a setting for lockout IMO. Our office is
incredibly security conscious, and we have it set to 10. For one thing, if
a kerberos login fails, the client may try an NTLM login, making a single
password error count twice. You can search support.microsoft.com for
articles about lockout. Here's one
http://support.microsoft.com/default.aspx?scid=kb;en-us;297157

There's a great white paper about this called "Account Passwords and
Policies"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx.
It's really too long to read from a web site, but if you search around you
might find a downloadable copy somewhere on the MS site. Also, if you do a
full site search of microsoft.com for "Account Passwords and Policies"
including the quotes, the results will include a lot of info about this
topic.




"Brad Pears" <donotreply@notreal.com> wrote in message
news:OS17MJdZEHA.2260@TK2MSFTNGP12.phx.gbl...
>I have a couple of question regarding the account lockout policy.
>
> 1) I had originally set a local policy on our Win2K terminal server such
> that 3 invalid logon attempts would cause an account lockout.
>
> Later on, I had applied a domain wide policy (on our SBS 2000 server) that
> set it to 5 invalid attempts.
>
> I assumed the domain policy would override any local policy but it doesn't
> seem to. If a user logs on 3 times with an incorrect password, it will
> still
> lock them out!
>
> Also becuase we have been having problems with users being locked out, I
> decided to completely eliminate the lock out. So , I disabled account
> lockouts in both the domain policy on the SBS 200 server and the local
> policy on the win2K terminal server.
>
> I am still getting accounts locking out after 3 invalid attempts.
>
> What gives? Can anyone help me?
>
> 2) Also, maybe I need a lesson on what can cause a lockout...
>
> We have a user who brings in his home laptop to copy drawings off our
> server
> so he can work from home.
>
> I configured his laptop so that he has the same drive mappings he has on
> his
> work machine. Two drive mappings point to shares on our win2K server that
> is
> part of our domain. The other mapping points to a share that is on an
> older
> NT 4 server - which is NOT part of the domain.
>
> When he logs onto his laptop, he is logging on locally - not as part of
> the
> domain. (It's winxp home edition).
>
> When I set up his shares, I configured the appropriate domain\username and
> password so it would connect. For the NT 4 share which is part of a
> workgroup (not in our domain) I configured his username and password
> excluding the domain.
>
> The problem is, as soon as he logs on and double clicks one of his mapped
> drives, it asks for his password and when he enters that, it says it has
> locked him out!!!
>
> Why would the account be locking out when I have specified the
> domain/username and passwords to use for the drive mappings? There is only
> two drive mappings that use his domain username/password. If the lockout
> was
> set to 3 invalid attempts, why is it locking out when there are only two
> mappings ???
>
> I am obviously missing something here...
>
> Thanks
>
> Brad
>
>


Top

Re: account lockout issues... by Jim

Jim
Sat Jul 10 08:55:18 CDT 2004

I have had users click on save password which screwed them. I get in
the pulpit and preach the function of passwords is to protect you.
These are people that live in the big city, population over 4 million,
not in the small town population 1200 where you buy a new car and
never take the keys out of the ignition inthe next 20 years you own
the car. What happens sometimes is the the passwords saved pass that
information over when trying to do something and the password/user
name is wrong. There are some clicks in Control Panel/ User accounts
manage my passwords that may help if you are having this problem. That
would be an XP issue.

"Brad Pears" <donotreply@notreal.com> wrote:

>I have a couple of question regarding the account lockout policy.
>
>1) I had originally set a local policy on our Win2K terminal server such
>that 3 invalid logon attempts would cause an account lockout.
>
>Later on, I had applied a domain wide policy (on our SBS 2000 server) that
>set it to 5 invalid attempts.
>
>I assumed the domain policy would override any local policy but it doesn't
>seem to. If a user logs on 3 times with an incorrect password, it will still
>lock them out!
>
>Also becuase we have been having problems with users being locked out, I
>decided to completely eliminate the lock out. So , I disabled account
>lockouts in both the domain policy on the SBS 200 server and the local
>policy on the win2K terminal server.
>
>I am still getting accounts locking out after 3 invalid attempts.
>
>What gives? Can anyone help me?
>
>2) Also, maybe I need a lesson on what can cause a lockout...
>
>We have a user who brings in his home laptop to copy drawings off our server
>so he can work from home.
>
>I configured his laptop so that he has the same drive mappings he has on his
>work machine. Two drive mappings point to shares on our win2K server that is
>part of our domain. The other mapping points to a share that is on an older
>NT 4 server - which is NOT part of the domain.
>
>When he logs onto his laptop, he is logging on locally - not as part of the
>domain. (It's winxp home edition).
>
>When I set up his shares, I configured the appropriate domain\username and
>password so it would connect. For the NT 4 share which is part of a
>workgroup (not in our domain) I configured his username and password
>excluding the domain.
>
>The problem is, as soon as he logs on and double clicks one of his mapped
>drives, it asks for his password and when he enters that, it says it has
>locked him out!!!
>
>Why would the account be locking out when I have specified the
>domain/username and passwords to use for the drive mappings? There is only
>two drive mappings that use his domain username/password. If the lockout was
>set to 3 invalid attempts, why is it locking out when there are only two
>mappings ???
>
>I am obviously missing something here...
>
>Thanks
>
>Brad
>

Jim B. SBS MVP
remove the mvp to send email
Top