Account Lockout threshold



ikbea
07-09-2005, 11:53 PM
Three domain controller: one primary and two backup
Member servers (joined same DC) : MServer1, MServer2
All are windows 2000 SP3 servers

I want to set account policy in MServer1 and MServer2:
Account Lockout duration: Not defined (original) --> 30minutes (new)
Account Lockout threshold: 0 (original) --> 5 (new) invalid logon attempts
Reset account lockout counter after: Not defined (original) --> 30minutes
(new)

In MServer, all settings were changed as I expected.
However, for MServer2, in "local policy settings --> account lockout
threshold", the local setting = 5, the effective setting = 0.

In DC, the
"Domain Controoler Security Policy", "Domain Security Policy" and "Local
Security Policy", the effective setting = not defined

I tried to change MServer2 account lockout threshold to 5 in "Local
Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration and
Analysis", but the effective setting is still = 0

How to set account lockout threshold to 5 in MServer2?

ikbea
07-09-2005, 11:53 PM
For further information
In All DCs, the
"Domain Controoler Security Policy", "Domain Security Policy"
local setting = not defined
effective setting = not defined

In PDC, "local policy" --> account lockout threshold
local setting = 0 invalid logon attempts
effective setting = not defined (WHY ??)

In two BDC, local policy --> account lockout threshold
local setting = 0 invalid logon attempts
effective setting = 0 invalid logon attempts

Thanks


"ikbea" wrote:

>
> Three domain controller: one primary and two backup
> Member servers (joined same DC) : MServer1, MServer2
> All are windows 2000 SP3 servers
>
> I want to set account policy in MServer1 and MServer2:
> Account Lockout duration: Not defined (original) --> 30minutes (new)
> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon attempts
> Reset account lockout counter after: Not defined (original) --> 30minutes
> (new)
>
> In MServer, all settings were changed as I expected.
> However, for MServer2, in "local policy settings --> account lockout
> threshold", the local setting = 5, the effective setting = 0.
>
> In DC, the
> "Domain Controoler Security Policy", "Domain Security Policy" and "Local
> Security Policy", the effective setting = not defined
>
> I tried to change MServer2 account lockout threshold to 5 in "Local
> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration and
> Analysis", but the effective setting is still = 0
>
> How to set account lockout threshold to 5 in MServer2?

Roger Abell [MVP]
07-09-2005, 11:53 PM
I thought you indicated W2k at Sp3 (you really, really, really need to
get Sp4 on those machines !!) so I have no idea what you are saying
about PDC and 2 BDCs ?

That effective is showing as 0 on MServer2 and local as 5 indicates
that there is a GPO with this settings in use that is being applied to
MServer2. I would look at the OU level for a GPO that has MServer2
in its scope of management.

The way to do this, if you intend to make the setting as you are statings
for member server login with member server local accounts (not domaini
accounts) is to set the policy values in a GPO that is linked at the OU
level to a containing OU of the members.

If you are after affecting these behaviors for domain accounts when used
on the members, this can only be done in manner that affects all machines
in entire domain when a domain account logs in to them.

--
Roger Abell
Microsoft MVP (Windows Server: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"ikbea" <ikbea@discussions.microsoft.com> wrote in message
news:3129AE99-0262-4772-A4D3-650857D06E74@microsoft.com...
> For further information
> In All DCs, the
> "Domain Controoler Security Policy", "Domain Security Policy"
> local setting = not defined
> effective setting = not defined
>
> In PDC, "local policy" --> account lockout threshold
> local setting = 0 invalid logon attempts
> effective setting = not defined (WHY ??)
>
> In two BDC, local policy --> account lockout threshold
> local setting = 0 invalid logon attempts
> effective setting = 0 invalid logon attempts
>
> Thanks
>
>
> "ikbea" wrote:
>
>>
>> Three domain controller: one primary and two backup
>> Member servers (joined same DC) : MServer1, MServer2
>> All are windows 2000 SP3 servers
>>
>> I want to set account policy in MServer1 and MServer2:
>> Account Lockout duration: Not defined (original) --> 30minutes (new)
>> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon
>> attempts
>> Reset account lockout counter after: Not defined (original) --> 30minutes
>> (new)
>>
>> In MServer, all settings were changed as I expected.
>> However, for MServer2, in "local policy settings --> account lockout
>> threshold", the local setting = 5, the effective setting = 0.
>>
>> In DC, the
>> "Domain Controoler Security Policy", "Domain Security Policy" and "Local
>> Security Policy", the effective setting = not defined
>>
>> I tried to change MServer2 account lockout threshold to 5 in "Local
>> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration
>> and
>> Analysis", but the effective setting is still = 0
>>
>> How to set account lockout threshold to 5 in MServer2?

ikbea
07-09-2005, 11:54 PM
The domain has three domain controllers:
- i.e.. one is primary domain controller (PDC) and the other two are backup
domain controllers (BDC1 & BDC2) .
- All are window 2000 advanced servers with Service pack 3, as they are used
in production environment, it takes time to plan for upgrading to Service
pack 4.

There are seversal members servers:
- windows 2000 advanced servers with Service pack 3.
- Two of these member servers called MServer1 and MServer2

Domain Security Policy - Account lockout threshold
================================
effective
PDC Not defined
BDC1 Not defined
BDC2 Not defined

Domain Contoller Security Policy - Account lockout threshold
======================================
effective
PDC Not defined
BDC1 Not defined
BDC2 Not defined

Local Security Policy - Account lockout threshold
================================
local effective
PDC 0 invalid logon attempts Not defined
(WHY is not as same
as local ??)
BDC1 0 invalid logon attempts 0 invalid logon attempts
BDC2 0 invalid logon attempts 0 invalid logon attempts
MServer1 5 invalid logon attempts 5 invalid logon attempts
MServer2 5 invalid logon attempts 0 invalid logon attempts
(WHY is not as
same as local ??)

As the domain level policy is not defined, I assumed the "effective
settings" should be same as "local settings" in "Local security policy" (i.e.
domain level policy will not override local policy). However, this is not
true for the server PDC and MServer2, why and how to correct ?

Moreover, event log showed some strange entries, I don't know it's related
or not
1. In security log - MServer2 and PDC
the following log showed when new local security settings is applied (e.g.
run secedit to refresh)
Catagory: Account Management
Event ID: 643
Domain Policy Changed: Password Policy modified

However, No "Domain policy changed: Lockout policy modified" is showed in
security log

2. In PDC, file replication log,
Source: NTFrs
Type: Error
Event ID: 13568
The File Replication Service has detected that the replica set "DOMAIN
SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR

Thanks again !



"Roger Abell [MVP]" wrote:

> I thought you indicated W2k at Sp3 (you really, really, really need to
> get Sp4 on those machines !!) so I have no idea what you are saying
> about PDC and 2 BDCs ?
>
> That effective is showing as 0 on MServer2 and local as 5 indicates
> that there is a GPO with this settings in use that is being applied to
> MServer2. I would look at the OU level for a GPO that has MServer2
> in its scope of management.
>
> The way to do this, if you intend to make the setting as you are statings
> for member server login with member server local accounts (not domaini
> accounts) is to set the policy values in a GPO that is linked at the OU
> level to a containing OU of the members.
>
> If you are after affecting these behaviors for domain accounts when used
> on the members, this can only be done in manner that affects all machines
> in entire domain when a domain account logs in to them.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "ikbea" <ikbea@discussions.microsoft.com> wrote in message
> news:3129AE99-0262-4772-A4D3-650857D06E74@microsoft.com...
> > For further information
> > In All DCs, the
> > "Domain Controoler Security Policy", "Domain Security Policy"
> > local setting = not defined
> > effective setting = not defined
> >
> > In PDC, "local policy" --> account lockout threshold
> > local setting = 0 invalid logon attempts
> > effective setting = not defined (WHY ??)
> >
> > In two BDC, local policy --> account lockout threshold
> > local setting = 0 invalid logon attempts
> > effective setting = 0 invalid logon attempts
> >
> > Thanks
> >
> >
> > "ikbea" wrote:
> >
> >>
> >> Three domain controller: one primary and two backup
> >> Member servers (joined same DC) : MServer1, MServer2
> >> All are windows 2000 SP3 servers
> >>
> >> I want to set account policy in MServer1 and MServer2:
> >> Account Lockout duration: Not defined (original) --> 30minutes (new)
> >> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon
> >> attempts
> >> Reset account lockout counter after: Not defined (original) --> 30minutes
> >> (new)
> >>
> >> In MServer, all settings were changed as I expected.
> >> However, for MServer2, in "local policy settings --> account lockout
> >> threshold", the local setting = 5, the effective setting = 0.
> >>
> >> In DC, the
> >> "Domain Controoler Security Policy", "Domain Security Policy" and "Local
> >> Security Policy", the effective setting = not defined
> >>
> >> I tried to change MServer2 account lockout threshold to 5 in "Local
> >> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration
> >> and
> >> Analysis", but the effective setting is still = 0
> >>
> >> How to set account lockout threshold to 5 in MServer2?
>
>
>

Roger Abell [MVP]
07-09-2005, 11:54 PM
Not meaning to be a pita here but there simply is no such thing
as PDC and BDCs running W2k and later, although there is some
minor, necessary functionality identified under name PDC emulator
FSMO. The use of the names may hold meaning for you but for
many of us it is just confusing and distracting. W2k and later DCs
are peers and essentially equal save things like FSMO roles etc.

There are very many changes in W2k Sp4 including adjustments to
the FRS code, which may actually be a factor in your issues.
Have you tried technet searches on resolutions for the FRS journal
wrapping ? as IIRC you need to look at specifics as to what plugged
up your FRS replication out of the possible causes. Think in a hand
waving way of FRS having database-like properties, where items to
be replicated are transacted (journaled) and the transaction log (journal)
gets cleared back as all is confirmed completed. That you have this
showing in the event log for FRS likely indicates your Sysvol replication
may be toasted, and hence GP support is sick.

After FRS is healthy then addressing why GP is (was) being applied
differently at different machines would make sense. Until then, as GP
in part depends on FRS you are taking things out of order by not getting
AD replication support healthy first.

--
Roger Abell
Microsoft MVP (Windows Server: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"ikbea" <ikbea@discussions.microsoft.com> wrote in message
news:88C31553-E50E-4733-B3BD-6C6DC970A13A@microsoft.com...
> The domain has three domain controllers:
> - i.e.. one is primary domain controller (PDC) and the other two are
> backup
> domain controllers (BDC1 & BDC2) .
> - All are window 2000 advanced servers with Service pack 3, as they are
> used
> in production environment, it takes time to plan for upgrading to Service
> pack 4.
>
> There are seversal members servers:
> - windows 2000 advanced servers with Service pack 3.
> - Two of these member servers called MServer1 and MServer2
>
> Domain Security Policy - Account lockout threshold
> ================================
> effective
> PDC Not defined
> BDC1 Not defined
> BDC2 Not defined
>
> Domain Contoller Security Policy - Account lockout threshold
> ======================================
> effective
> PDC Not defined
> BDC1 Not defined
> BDC2 Not defined
>
> Local Security Policy - Account lockout threshold
> ================================
> local effective
> PDC 0 invalid logon attempts Not defined
> (WHY is not as
> same
> as local ??)
> BDC1 0 invalid logon attempts 0 invalid logon attempts
> BDC2 0 invalid logon attempts 0 invalid logon attempts
> MServer1 5 invalid logon attempts 5 invalid logon attempts
> MServer2 5 invalid logon attempts 0 invalid logon attempts
> (WHY is not as
> same as local ??)
>
> As the domain level policy is not defined, I assumed the "effective
> settings" should be same as "local settings" in "Local security policy"
> (i.e.
> domain level policy will not override local policy). However, this is not
> true for the server PDC and MServer2, why and how to correct ?
>
> Moreover, event log showed some strange entries, I don't know it's related
> or not
> 1. In security log - MServer2 and PDC
> the following log showed when new local security settings is applied (e.g.
> run secedit to refresh)
> Catagory: Account Management
> Event ID: 643
> Domain Policy Changed: Password Policy modified
>
> However, No "Domain policy changed: Lockout policy modified" is showed in
> security log
>
> 2. In PDC, file replication log,
> Source: NTFrs
> Type: Error
> Event ID: 13568
> The File Replication Service has detected that the replica set "DOMAIN
> SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR
>
> Thanks again !
>
>
>
> "Roger Abell [MVP]" wrote:
>
>> I thought you indicated W2k at Sp3 (you really, really, really need to
>> get Sp4 on those machines !!) so I have no idea what you are saying
>> about PDC and 2 BDCs ?
>>
>> That effective is showing as 0 on MServer2 and local as 5 indicates
>> that there is a GPO with this settings in use that is being applied to
>> MServer2. I would look at the OU level for a GPO that has MServer2
>> in its scope of management.
>>
>> The way to do this, if you intend to make the setting as you are statings
>> for member server login with member server local accounts (not domaini
>> accounts) is to set the policy values in a GPO that is linked at the OU
>> level to a containing OU of the members.
>>
>> If you are after affecting these behaviors for domain accounts when used
>> on the members, this can only be done in manner that affects all machines
>> in entire domain when a domain account logs in to them.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server: Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "ikbea" <ikbea@discussions.microsoft.com> wrote in message
>> news:3129AE99-0262-4772-A4D3-650857D06E74@microsoft.com...
>> > For further information
>> > In All DCs, the
>> > "Domain Controoler Security Policy", "Domain Security Policy"
>> > local setting = not defined
>> > effective setting = not defined
>> >
>> > In PDC, "local policy" --> account lockout threshold
>> > local setting = 0 invalid logon attempts
>> > effective setting = not defined (WHY ??)
>> >
>> > In two BDC, local policy --> account lockout threshold
>> > local setting = 0 invalid logon attempts
>> > effective setting = 0 invalid logon attempts
>> >
>> > Thanks
>> >
>> >
>> > "ikbea" wrote:
>> >
>> >>
>> >> Three domain controller: one primary and two backup
>> >> Member servers (joined same DC) : MServer1, MServer2
>> >> All are windows 2000 SP3 servers
>> >>
>> >> I want to set account policy in MServer1 and MServer2:
>> >> Account Lockout duration: Not defined (original) --> 30minutes (new)
>> >> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon
>> >> attempts
>> >> Reset account lockout counter after: Not defined (original) -->
>> >> 30minutes
>> >> (new)
>> >>
>> >> In MServer, all settings were changed as I expected.
>> >> However, for MServer2, in "local policy settings --> account lockout
>> >> threshold", the local setting = 5, the effective setting = 0.
>> >>
>> >> In DC, the
>> >> "Domain Controoler Security Policy", "Domain Security Policy" and
>> >> "Local
>> >> Security Policy", the effective setting = not defined
>> >>
>> >> I tried to change MServer2 account lockout threshold to 5 in "Local
>> >> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security
>> >> Configuration
>> >> and
>> >> Analysis", but the effective setting is still = 0
>> >>
>> >> How to set account lockout threshold to 5 in MServer2?
>>
>>
>>


Account Lockout threshold