Undocumented GPO Value- LockoutDuration= -1

Discussion in 'Active Directory' started by SAMMOn, Jan 11, 2006.

  1. SAMMOn

    SAMMOn Guest

    I've looked at every piece of information I could find, searched the
    Internet, Technet, MSDN etc.... and can't seem to find this information
    anywhere:

    I am auditing a Windows 2003 A.D. environment and have been evaluating the
    GPO's. The LockoutDuration is set to -1. According to the techdocs values
    from 0-999 are only allowed. 0= The administrator must re-enable a locked
    out account. The only thing I can surmise is:
    1. The feature is not enabled.
    2. The value has something to do with the Forest/Domain/Server settings in
    particular.

    Any information would be a great help.

    Thanks,
     
    SAMMOn, Jan 11, 2006
    #1
    1. Advertisements

  2. Hi,

    How are you reading the value of lockoutDuration? This attribute is Integer8
    and there is a bug in the IADsLargeInteger interface used to interpret
    Integer8 values. In my domain, ADSI Edit shows lockoutDuration to
    be -18000000000, and this corresponds to 30 minutes. The raw value is a
    64-bit number representing the number of 100-nanosecond intervals.

    A value of -1 would correspond to a very large value (1.7x10^9 minutes).
    Although I've never seen this, something may set this value to mean never.
    I've seen similar values for some other Integer8 attributes, which I have
    interpreted to mean very far in the future.

    For more information on Integer8 attributes and how to read them in scripts,
    see this link:

    http://www.rlmueller.net/Integer8Attributes.htm
     
    Richard Mueller, Jan 11, 2006
    #2
    1. Advertisements

  3. SAMMOn

    SAMMOn Guest

    Richard,

    My sincere thanks for the feeback. I think your assessment is correct as
    I've received some feedback from the group who was running audits on the
    machines. They have reported that they SECEDIT tool they are using is
    returning -1 values for servers which have a true setting of 0. The group is
    opening a ticket with MS.

    Cheers,

    Scott
     
    SAMMOn, Jan 12, 2006
    #3
  4. SAMMOn

    flyfishr64 Guest

    Hi Richard,

    I've encountered the same value set for LockoutDuration at a customer site.
    My code handles the documented value of '0' to mean the account must be
    unlocked by an administrator, and treats any other value as a time interval
    to be added to lcokoutTime. What's happening at the customer site is that our
    product does not detect that an account is locked when it should. I've
    verified with the customer that they have set the GPO lockout duration to '0'
    in the UI. I've found other posts online (see
    http://groups.google.com/group/micr...=lockoutduration+"-1"&rnum=3#18bcbd6d3782183d)
    that seem to show that -1 is a value that is in fact used, but I don't know
    it's meaning. My assumption is that it also means the account must be
    unlocked by an administrator.

    An excerpt from our log file, showing the GPO values retrieved via LDAP:
    defaultNamingContext attribute lockoutDuration: -9223372036854775808
    defaultNamingContext attribute lockOutObservationWindow: -59999400000000
    defaultNamingContext attribute lockoutThreshold: 6
    defaultNamingContext attribute maxPwdAge: -38880000000000
    defaultNamingContext attribute minPwdAge: 0
    defaultNamingContext attribute minPwdLength: 6
    defaultNamingContext attribute pwdProperties: 1
    defaultNamingContext attribute pwdHistoryLength: 15
    defaultNamingContext attribute subSchemaSubEntry:
    CN=Aggregate,CN=Schema,CN=Configuration,DC=xxx,DC=net


    Any idea what the -1 means?

    Thanks!
     
    flyfishr64, Mar 16, 2006
    #4
  5. Hi,

    I've never seen -1 for lockoutDuration. I find when you create a new user
    object and do not give it an expiration date, the the system assigns the
    accountExpires attribute the value -1. Because of the way 64-bit numbers are
    handled, this is equivalent to 2^63-1, a huge number (the maximum allowed).
    The only values you can assign to accountExpires in VBScript are 0 and -1.
    In my code to read accountExpires (or any Integer8 values), I interpret 0 as
    never. When I convert the value to a date, I need to trap an error if this
    fails because the value is huge (2^63-1) and again interpret this as never.
    My guess is that -1 means the same thing for lockoutDuration, in this case
    forever. Assigning -1 to any Integer8 attribute must be a quick way to give
    it a value equivalent to forever or never.
     
    Richard Mueller, Mar 16, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.