Undo Account Lockout Policy GPO

Discussion in 'Active Directory' started by vdz, Jun 8, 2008.

  1. Jorge de Almeida Pinto [MVP - DS], Jul 2, 2008
    #21
    1. Advertisements

  2. vdz

    vdz Guest

    Here it is. Thank you

    C:\>adfind -default -s base

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: WCT-SER-00.wctaustralia.com:389
    Directory: Windows Server 2003
    Base DN: DC=wctaustralia,DC=com

    dn:DC=wctaustralia,DC=com
    44DF 6795 BB49 9612 8EE0 D4F1 F8C4
    93DB BAF5 560F 224A 364D 0000 0000 0000 078F EFFD 0200 0000

    1 Objects returned
     
    vdz, Jul 2, 2008
    #22
    1. Advertisements

  3. gotcha



    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Jul 2, 2008
    #23
  4. this is what is defined as lockout settings on the domain NC head...
    the following is what you HAD/HAVE (and corresponds to the values above)

    tthe following is what you WANT
    which means the GPO with the settings is not being applied, is incorrectly
    linked, or whatever

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Jul 2, 2008
    #24
  5. vdz

    vdz Guest

    Thanks for pointing out this.
    Huumm!! it does not make sense.
    On the same DC (we have only one DC), the same "Default Domain Policy" (we
    have only one GPO) and the same policy that I configured, now I can't change
    it or reset.
    I double checked if it links to right the root of Domain. it never changed.

    I am stuck here, I have never come accross this issue before.

    Any other suggestions would be appreciated.





     
    vdz, Jul 2, 2008
    #25
  6. vdz

    vdz Guest

    Hi All

    What I id was that

    I created a new GPO
    I imported from the existing GPO, so they are identical.
    Linked to our Domain
    then I changed the Account Lockout Policy as follows

    Account Lockout duration - Not defined
    Account Lockout threshold - 0
    Reset account lockout after count - Not defined.

    Run GPUPDATE /FORCE
    Run adfind -default -s base

    Here is the new result:
    only lockout Threshold changed accordingly, the other 2 are still the same
    :( .

    Thought I would let you know.
    Thanks a lot for all your help and support


     
    vdz, Jul 4, 2008
    #26
  7. For Account Lockout Policy "Not Defined" *DOES NOT* remove a previous
    configured value. You need to define some value if you want to change it.
    That also applies if you want to change it back to its default value in the
    attribute.

    To find out what the default value is setup a DC in a domain and look at the
    attributes in the domain NC head

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Jul 7, 2008
    #27
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.