How to disable account lockout policy on server 2008?

windows-server-2008 accounts active-directory
8,866

You can disable account lockout policy by changing the "Account Lockout Threshhold" option to 0. However, if it's not working... it's not working, so that won't help you.

First, check your Group Policy Refresh Interval for both computers and users. They are in Computer Configuration\Administrative Templates\System\Group Policy and User Configuration\Administrative Templates\System\Group Policy. The default is 90 minutes. Perhaps it's set for some absurdly high value.

Next, run gpupdate /force at an elevated command prompt on some of the PCs in your domain and see if the policy is applied to them.

Then, test other policies in the Default Domain Policy to make sure that they're being applied and that it's not a larger issue with Active Directory replication and application. If that's the case, you are well and truly hosed. =)

Finally, look into enabling debug logging for the Net Logon service. Once that's turned on, sift through the logs for bad password events. You should be able to see which computer is generating the event and track down the errant login process from there.

Share:
8,866

Related videos on Youtube

Felix
Author by

Felix

Updated on September 18, 2022

Comments

  • Felix
    Felix over 1 year

    We've played around with the account lockout policy but it did not turn out to be a great idea. We have one account that's being used by 100+ computers and every now and then it gets locked. We weren't able to find out yet why it's being blocked or who's causing it but it happens every 30-90 minutes. This causes our render farm (computer farm) to lose access to the server.

    We've changed the values affecting account lockout on the 'default domain policy' about 24h+ ago but it still seems to be active.

    Any idea how I can permanently disable it?

    • Hecter
      Hecter about 12 years
      Unless you have a good reason to disable account lockouts domain-wide, you might want to consider disabling it only for the OU that contains the service account that you mentioned. As for the problem of who or what is causing it, using something like Splunk to index your domain controller security logs might help if you're having trouble browsing/filtering them due to event volume. Look for Event ID 4740 and the preceding 4625 events. See also: Account Locked Out Troubleshooting
    • Wesley
      Wesley about 12 years
      @MilesErickson Setting fine-grained password policies at the OU level kinda sucks though. I'd stay away from it until and unless you can do it without ADSI edit in the future.
    • Hecter
      Hecter about 12 years
      @WesleyDavid I'd use PowerShell. But, I clearly don't mess with FGPP very often, because I didn't remember that they're applied to users/groups and not OUs.
  • Felix
    Felix about 12 years
    Hey Wesley David. Setting it to 0 seems to have fixed it. I'll keep watching it this weekend.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

IIS7 give ApplicationPoolIdentity access to a network location
Is there any way to query a list of users who can access a VPN connection in Windows Server 2008 R2
Re-add computer to domain without local admin
Windows Server DHCP role not working correctly in VMware Player
Connecting clients to Active Directory Server
Why add computers to Active directory domain?
How can I see if a user deleted a folder in a shared resource using AD?
What's a quick and dirty way to get a user list with login time from active directory?
How can I see all users of domain in this PC?
How to make network drives appear even if disconnected?