preventing user account lockout in Active Directory

Discussion in 'MCSA' started by keith chilton, Feb 5, 2008.

  1. Is there a way to totally prevent a user account from being locked out
    forever until the end of time? I have an account that gets locked out all
    the time and we dont want it to. It's so irritating to have to unlock it all
    the time. The GPO tied to this user account has nothing defined in it all.

    It would be greatly appreciated.

    --
    Thanks,

    Keith Chilton
    Data Services Technician
    River Valley Financial Bank
    812-273-4949 x1165

    ****River Valley Financial Bank, Internet Email Confidentiality Footer****
    Privileged/Confidential Information may be contained in this message. If you
    are not the addressee indicated in this message (or responsible for delivery
    of the message to such person), you may not copy or deliver this message to
    anyone. In such case, you should destroy this message, and notify us
    immediately. If you or your employer does not consent to Internet email
    messages of this kind, please advise us immediately. Opinions, conclusions
    and other information expressed in this message are not given or endorsed by
    my firm or employer unless otherwise indicated by an authorized
    representative independent of this message. All Securities are offered
    through Money Concepts Capital Corp., 7828 East 88th Street, Indianapolis,
    Indiana 46256, 317-841-0370. Member NASD/SIPC. Not FDIC Insured, No Bank
    Guarantees, May Lose Value.
     
    keith chilton, Feb 5, 2008
    #1
    1. Advertising

  2. keith chilton

    John R Guest

    "keith chilton" <> wrote in message
    news:ujZWJm$...
    > Is there a way to totally prevent a user account from being locked out
    > forever until the end of time? I have an account that gets locked out all
    > the time and we dont want it to. It's so irritating to have to unlock it
    > all the time. The GPO tied to this user account has nothing defined in it
    > all.
    >
    > It would be greatly appreciated.
    >
    > --
    > Thanks,
    >
    > Keith Chilton
    > Data Services Technician
    > River Valley Financial Bank
    > 812-273-4949 x1165
    >



    Hi Keith,

    Long time no read.

    About the only thing you could do is change your default domain policy
    lockout policy, since the change needs to be made on every DC. That would
    however, apply to all your users, not just the one.

    We have found that this particular issue normally arises when an advance
    user has configured some service to start using their credentials, and then
    they changed their password. You should have all of your advanced users
    (developers, etc), check their services to make sure they are not using
    "personal" credentials.

    In stubborn cases, we have changed the user's logon (on the account tab of
    the user object) from say 'billy' to 'billy1' for a while. That way,
    'billy' can get rejected all it wants without disrupting the real user
    'billy1'.

    John R
     
    John R, Feb 5, 2008
    #2
    1. Advertising

  3. This particular user is called "synserv"... It is used among 3 computers.. 2
    are Windows Server 2003 and one is XP Pro... "synserv" has it's password set
    so that it never expires. In AD I even put "synserv" in it's own
    Organizational Unit so I could give it it's own GPO. The only thing that is
    configured by the GPO is "Account lockout threshold" and that is set to 0
    (Which means it can not get locked out). Maybe these 2 servers are using
    services using this user name "synserv" with the predefined password we gave
    it that never expires.. They probably are, but we've never changed the
    password and never will probably. Any ideas with this newfound information
    I've presented? I appreciate the help.. By the way I just did an experiment
    with the GPO settings. I am trying

    "Account lockout duration" = 1 minute
    "Account lockout threshold" = 999 invalid login attempts
    "Reset account lockout counter after" = 1 minute

    Maybe this will make it hardly ever lockout.. Every 999 failures and then it
    would unlock itself after 1 minute...

    --
    Thanks,

    Keith Chilton
    Data Services Technician
    River Valley Financial Bank
    812-273-4949 x1165

    ****River Valley Financial Bank, Internet Email Confidentiality Footer****
    Privileged/Confidential Information may be contained in this message. If you
    are not the addressee indicated in this message (or responsible for delivery
    of the message to such person), you may not copy or deliver this message to
    anyone. In such case, you should destroy this message, and notify us
    immediately. If you or your employer does not consent to Internet email
    messages of this kind, please advise us immediately. Opinions, conclusions
    and other information expressed in this message are not given or endorsed by
    my firm or employer unless otherwise indicated by an authorized
    representative independent of this message. All Securities are offered
    through Money Concepts Capital Corp., 7828 East 88th Street, Indianapolis,
    Indiana 46256, 317-841-0370. Member NASD/SIPC. Not FDIC Insured, No Bank
    Guarantees, May Lose Value.
    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    > "keith chilton" <> wrote in message
    > news:ujZWJm$...
    >> Is there a way to totally prevent a user account from being locked out
    >> forever until the end of time? I have an account that gets locked out all
    >> the time and we dont want it to. It's so irritating to have to unlock it
    >> all the time. The GPO tied to this user account has nothing defined in it
    >> all.
    >>
    >> It would be greatly appreciated.
    >>
    >> --
    >> Thanks,
    >>
    >> Keith Chilton
    >> Data Services Technician
    >> River Valley Financial Bank
    >> 812-273-4949 x1165
    >>

    >
    >
    > Hi Keith,
    >
    > Long time no read.
    >
    > About the only thing you could do is change your default domain policy
    > lockout policy, since the change needs to be made on every DC. That would
    > however, apply to all your users, not just the one.
    >
    > We have found that this particular issue normally arises when an advance
    > user has configured some service to start using their credentials, and
    > then they changed their password. You should have all of your advanced
    > users (developers, etc), check their services to make sure they are not
    > using "personal" credentials.
    >
    > In stubborn cases, we have changed the user's logon (on the account tab of
    > the user object) from say 'billy' to 'billy1' for a while. That way,
    > 'billy' can get rejected all it wants without disrupting the real user
    > 'billy1'.
    >
    > John R
    >
     
    keith chilton, Feb 6, 2008
    #3
  4. keith chilton

    John R Guest

    "keith chilton" <> wrote in message
    news:...
    > This particular user is called "synserv"... It is used among 3 computers..
    > 2 are Windows Server 2003 and one is XP Pro... "synserv" has it's password
    > set so that it never expires. In AD I even put "synserv" in it's own
    > Organizational Unit so I could give it it's own GPO. The only thing that
    > is configured by the GPO is "Account lockout threshold" and that is set to
    > 0 (Which means it can not get locked out). Maybe these 2 servers are using
    > services using this user name "synserv" with the predefined password we
    > gave it that never expires.. They probably are, but we've never changed
    > the password and never will probably. Any ideas with this newfound
    > information I've presented? I appreciate the help.. By the way I just did
    > an experiment with the GPO settings. I am trying
    >
    > "Account lockout duration" = 1 minute
    > "Account lockout threshold" = 999 invalid login attempts
    > "Reset account lockout counter after" = 1 minute
    >
    > Maybe this will make it hardly ever lockout.. Every 999 failures and then
    > it would unlock itself after 1 minute...
    >
    > --
    > Thanks,
    >
    > Keith Chilton


    In a domain environment, the account lockout policy settings must be set on
    the domain controller that is authenticating the account, and thus locking
    out the account. They will have no effect on the user object. Therefore,
    the settings will apply to any account that the DC authenticates for.
    Microsoft says that these settings should only be set in the default domain
    GPO, although I think you could get away with setting it in a GPO that
    applies against the domain controllers OU.

    Perhaps what you should do is reset the password for the account, and then
    in the services control panel for the three machines that use the account.
    You could also enable auditing for account logon events (failure) on your
    domain controllers. This might give you an event log entry of which
    workstation (or server) is locking it out. Of course, you would have to
    examine the event logs on all of the domain controllers because you don't
    know which DC is locking it out.

    synserv wouldn't happen to be Synergy xf Server, would it?

    John R
     
    John R, Feb 7, 2008
    #4
  5. Thank you. Yes it is Synergy. I'm not too fond of it haha I wonder what
    you're feelings about it are? I will try examining the logs.... *groan*

    --
    Thanks,

    Keith Chilton
    Data Services Technician
    River Valley Financial Bank
    812-273-4949 x1165

    ****River Valley Financial Bank, Internet Email Confidentiality Footer****
    Privileged/Confidential Information may be contained in this message. If you
    are not the addressee indicated in this message (or responsible for delivery
    of the message to such person), you may not copy or deliver this message to
    anyone. In such case, you should destroy this message, and notify us
    immediately. If you or your employer does not consent to Internet email
    messages of this kind, please advise us immediately. Opinions, conclusions
    and other information expressed in this message are not given or endorsed by
    my firm or employer unless otherwise indicated by an authorized
    representative independent of this message. All Securities are offered
    through Money Concepts Capital Corp., 7828 East 88th Street, Indianapolis,
    Indiana 46256, 317-841-0370. Member NASD/SIPC. Not FDIC Insured, No Bank
    Guarantees, May Lose Value.
    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    >
    > "keith chilton" <> wrote in message
    > news:...
    >> This particular user is called "synserv"... It is used among 3
    >> computers.. 2 are Windows Server 2003 and one is XP Pro... "synserv" has
    >> it's password set so that it never expires. In AD I even put "synserv" in
    >> it's own Organizational Unit so I could give it it's own GPO. The only
    >> thing that is configured by the GPO is "Account lockout threshold" and
    >> that is set to 0 (Which means it can not get locked out). Maybe these 2
    >> servers are using services using this user name "synserv" with the
    >> predefined password we gave it that never expires.. They probably are,
    >> but we've never changed the password and never will probably. Any ideas
    >> with this newfound information I've presented? I appreciate the help.. By
    >> the way I just did an experiment with the GPO settings. I am trying
    >>
    >> "Account lockout duration" = 1 minute
    >> "Account lockout threshold" = 999 invalid login attempts
    >> "Reset account lockout counter after" = 1 minute
    >>
    >> Maybe this will make it hardly ever lockout.. Every 999 failures and then
    >> it would unlock itself after 1 minute...
    >>
    >> --
    >> Thanks,
    >>
    >> Keith Chilton

    >
    > In a domain environment, the account lockout policy settings must be set
    > on the domain controller that is authenticating the account, and thus
    > locking out the account. They will have no effect on the user object.
    > Therefore, the settings will apply to any account that the DC
    > authenticates for. Microsoft says that these settings should only be set
    > in the default domain GPO, although I think you could get away with
    > setting it in a GPO that applies against the domain controllers OU.
    >
    > Perhaps what you should do is reset the password for the account, and then
    > in the services control panel for the three machines that use the account.
    > You could also enable auditing for account logon events (failure) on your
    > domain controllers. This might give you an event log entry of which
    > workstation (or server) is locking it out. Of course, you would have to
    > examine the event logs on all of the domain controllers because you don't
    > know which DC is locking it out.
    >
    > synserv wouldn't happen to be Synergy xf Server, would it?
    >
    > John R
    >
     
    keith chilton, Feb 8, 2008
    #5
  6. keith chilton

    John R Guest

    "keith chilton" <> wrote in message
    news:...
    > Thank you. Yes it is Synergy. I'm not too fond of it haha I wonder what
    > you're feelings about it are? I will try examining the logs.... *groan*
    >
    > --
    > Thanks,
    >
    > Keith Chilton


    I think Synergex is a great company. I can't really expand on it here,
    except to say that I have nothing negative to say about them. Tiffany (one
    of their long time support people, probably a manager there by now) is one
    of my favorite people in the world. I was just assisting one of our in-house
    analysts with an xf server configuration issue when I saw your message.

    As to examing the logs, hey, welcome to IT!

    John R
     
    John R, Feb 8, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Sm9u?=

    Account lockout

    =?Utf-8?B?Sm9u?=, Oct 19, 2005, in forum: MCSE
    Replies:
    6
    Views:
    1,096
    =?Utf-8?B?aGQgdHJvbGw=?=
    Oct 20, 2005
  2. =?Utf-8?B?Sm9u?=
    Replies:
    5
    Views:
    3,829
    Consultant
    Nov 15, 2005
  3. Pedro Simoes
    Replies:
    0
    Views:
    426
    Pedro Simoes
    Nov 24, 2005
  4. Pedro Simoes
    Replies:
    0
    Views:
    551
    Pedro Simoes
    Nov 24, 2005
  5. JF Mezei
    Replies:
    0
    Views:
    716
    JF Mezei
    Oct 14, 2009
Loading...

Share This Page