It's been a couple of days searching for answers on how to resolve "frequent account lockout in Active Directory (AD)". If you missed the my previous posts, here's the links:
1st post - http://www.whaddya.com/2011/09/frequent-account-lockout-in-active.html
2nd post - http://www.whaddya.com/2011/09/windows-needs-your-credentials.html
Today I will try this post on how to Troubleshoot Account Lockout courtesy by Microsoft Technet.
http://technet.microsoft.com/en-us/library/cc773155%28WS.10).aspx
I started my Active Directory Users and Computer, right click on my AD domain (for ex. whaddya.com), then Properties. Click the Group Policy tab, select the Default Domain Policy, click Properties.
In Group Policy Object Editor, collapse Windows Settings, Security Settings, Account Policies, then click on Account Lockout, and change Account Lockout threshold from 3 to 50. You need to come back here and change it to 3 after your troubleshooting.
Save the policy.
In AD server command prompt, run "net accounts" to see if the changes you made is saved.
I applied the net user /persistent:no. Here's the explanation why not to use persistent.
" Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, type net use /persistent:no. Alternately, to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive." (2011, Microsoft Technet)
I use the LockoutStatus.exe tool to monitor the "account", on how it quickly lockout the user. I've noticed right away the Bad Pwd Count is 4.
After few hours ... the Bad Pwd Count is still at 4.
I updated the Account Lockout threshold from 50 to 10, since the lockout status only reported 4 max for the last two hours. Check using "net accounts" to see if the changes you made is applied. Some network, AD updates takes a while between 5 to 15 minutes.
After few hours ... the Bad Pwd Count is still at 4. If my test account will not lockout with the setting of Account Lockout threshold of 10 for the next 24 hours. I will consider this issue resolve. Thanks God, it's time to celebrate.
0 Comments