Undo Account Lockout Policy GPO

Discussion in 'Active Directory' started by vdz, Jun 8, 2008.

  1. vdz

    vdz Guest

    Hi

    Recently I deployed this GPO, however our boss does not like it and asked me
    to remove it.
    I put all three policies "not defined". But it seems not to work.
    Have I missed something here?

    Thanks a lot in advance
     
    vdz, Jun 8, 2008
    #1
    1. Advertisements

  2. Hello vdz,

    How long did you wait? Did you run gpupdate on a client machine after changing
    the policy or restart the computer? Where is the policy set and are the machines
    also in the OU where the GPO is linked to?

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jun 8, 2008
    #2
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP - DS], Jun 8, 2008
    #3
  4. vdz

    vdz Guest

    Thank you all for your help.

    I changed this GPO 24 hrs before I tested.

    I have read this "tatoo" before, but I did not quite remember what it was.
    If you could tell me how to reverse to the old values, that would be great.

    Cheers
     
    vdz, Jun 9, 2008
    #4
  5. Hello vdz,

    Where you set the policy to "not defined" change it to the opposite of the
    setting before.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jun 9, 2008
    #5
  6. Jorge de Almeida Pinto [MVP - DS], Jun 9, 2008
    #6
  7. Tattooing is similar to if you were to go up to a machine and run your
    registry editor and make the change. Now if you were to go into your gpo
    and define it as not set, the value tattooed won't change, so you need to
    modify the gpo and tattoo a value you want it set to (What it used to be)
    and then once all the users are reset back to the original value go back in
    and set the gpo to not set.
     
    Paul Bergson [MVP-DS], Jun 9, 2008
    #7
  8. vdz

    vdz Guest

    Hi all

    Thanks a lot for all your help.

    Please let me verify what I understand.
    By default
    Account Lockout duration - Not defined
    Account Lockout threshold - Not defined
    Reset account lockout after count - Not defined.

    Then I set those three policies as below:

    Account Lockout duration - 30 minutes
    Account Lockout threshold - 5 invalid logon attemps
    Reset account lockout after count - 30 minutes

    And now I unticked the box - "Define this policy setting" to make it "Not
    Defined" settings for all three policies.

    Is it how to put the OLD settings back? Please excuse me if I asked too much.

    Thanks
     
    vdz, Jun 10, 2008
    #8
  9. You need to leave the updating settings long enough so that all users have
    the new policy applied before you untick the settings. Wait at least 1
    week.
     
    Paul Bergson [MVP-DS], Jun 10, 2008
    #9
  10. vdz

    vdz Guest

    Hi Paul

    Thanks for that. I have had this policy set for 1 month now.
    Are you saying that if I put it back where it was, it might take time too?
    Please confirm
    Once again thank you very much

    Cheers
     
    vdz, Jun 10, 2008
    #10
  11. vdz

    DevilsPGD Guest

    In message <> vdz
    You can't unset this policy by changing it to "Not defined", you must
    change it by defining new settings. Once you define new settings, leave
    the new settings in place at least a week to allow them to propagate,
    then you can revert to "Not defined" (if desired)
     
    DevilsPGD, Jun 11, 2008
    #11
  12. Yes, you need to tattoo it back before setting it to not defined,
     
    Paul Bergson [MVP-DS], Jun 11, 2008
    #12
  13. vdz

    vdz Guest

    Hi all

    Sorry to bother you all again. As I reset this policy to the new setting 10
    days ago,

    FROM

    Account Lockout duration - 30 minutes
    Account Lockout threshold - 5 invalid logon attemps
    Reset account lockout after count - 30 minutes

    TO

    Account Lockout duration - 2 minutes
    Account Lockout threshold - 10 invalid logon attemps
    Reset account lockout after count - 2 minutes

    But it does not take effect at all. Or should I wait a bit longer?. Please
    adivise

    Thank you very much

    Cheers
     
    vdz, Jun 30, 2008
    #13
  14. Jorge de Almeida Pinto [MVP - DS], Jun 30, 2008
    #14
  15. Jorge,
    I'm stumped how is the adfind dump going to help out? Interested in
    learning what in particular you are looking for.



    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Jun 30, 2008
    #15
  16. vdz

    vdz Guest

    Thank you Jorge.
    I did issue gpudate /force and restart the server. but it still denied to
    work :(.
    I also issued the adfind command, but unfortunately it did nor recognize
    this command.

    any other suggestions? thanks a lot

    Cheers
     
    vdz, Jul 1, 2008
    #16
  17. adfind is a free tool from joeware.net and is downloadable there
     
    Paul Bergson [MVP-DS], Jul 1, 2008
    #17
  18. I want to see if the PWD settings are indeed applied to the domain NC head
    where the info is actually stored! ;-)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Jul 1, 2008
    #18
  19. Jorge de Almeida Pinto [MVP - DS], Jul 1, 2008
    #19
  20. vdz

    vdz Guest

    Thank you Paul and Jorge

    I did issue GPUPDATE/ FORCE on the DC with PDC FSMO.
     
    vdz, Jul 2, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.