Account should be locked out.....but isn't!

Q

Qu33n Bee

Hi
I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
workstations are XP SP2, and all domain controllers are 2003 server. The
default domain group policy defines the account lockout policy at a threshold
of 6 failed logons.
Recently I have noticed a large number of failed logons for a user who has
Domain Admins membership. With 1154 failures in 2 days, I would have expected
the account to have been locked out but it isn't. The failures are all
529/Type 3. I have checked for settings that block inheritance of the default
domain policy but there are none. How can the account have failed logon so
many times and not triggered the lockout?
 
R

Roger Abell [MVP]

"Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
news:AA92B332-4F0C-40C0-BC9E-E57E3C5D9ED0@microsoft.com...
> Hi
> I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
> workstations are XP SP2, and all domain controllers are 2003 server. The
> default domain group policy defines the account lockout policy at a
> threshold
> of 6 failed logons.
> Recently I have noticed a large number of failed logons for a user who has
> Domain Admins membership. With 1154 failures in 2 days, I would have
> expected
> the account to have been locked out but it isn't. The failures are all
> 529/Type 3. I have checked for settings that block inheritance of the
> default
> domain policy but there are none. How can the account have failed logon so
> many times and not triggered the lockout?

So I will assume your check also confirmed that the setting is not
being defined in a higher priority (than the default domain GPO)
GPO linked to the domain.
Is the account the built-in Administrator (possibly renamed)?

Roger
 
Q

Qu33n Bee

Yes, I have checked and there are no GPOs that apply to this account that
define lockout policy other than the default domain policy. This is not the
built-in Admin account, but a user account which is a member of the Domain
Admins group. Other members of the same group, with the same account
configuration have been locked out due to incorrect password entry so it is a
mystery as to why this account was not locked out.
 
Q

Qu33n Bee

Yes, I have confirmed that there are no GPOs other than the default domain
policy that contain configuration settings for account lockout.

The account is not the built-in Admin account, but a user account which is a
member of the Domain Admins group. Other members of the same group with the
same account configuration have been locked out due to incorrect password
entry, so it is a mystery why this account remains unlocked after so many
logon failures

"Roger Abell [MVP]" wrote:

>
> "Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
> news:AA92B332-4F0C-40C0-BC9E-E57E3C5D9ED0@microsoft.com...
> > Hi
> > I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
> > workstations are XP SP2, and all domain controllers are 2003 server. The
> > default domain group policy defines the account lockout policy at a
> > threshold
> > of 6 failed logons.
> > Recently I have noticed a large number of failed logons for a user who has
> > Domain Admins membership. With 1154 failures in 2 days, I would have
> > expected
> > the account to have been locked out but it isn't. The failures are all
> > 529/Type 3. I have checked for settings that block inheritance of the
> > default
> > domain policy but there are none. How can the account have failed logon so
> > many times and not triggered the lockout?
>
> So I will assume your check also confirmed that the setting is not
> being defined in a higher priority (than the default domain GPO)
> GPO linked to the domain.
> Is the account the built-in Administrator (possibly renamed)?
>
> Roger
>
>
>
 
Q

Qu33n Bee

Update -- I have found an event which indicates that Group Policy processing
was aborted as the domain could not be contacted due to invalid credentials
being supplied. I guess that if the GP relies on authenticated connection to
the domain, and the wrong password is supplied for the user then group
policies will not be applied and the failed logons would not trip the lockout
threahold - can anyone confirm that this is the case?

"Qu33n Bee" wrote:

> Yes, I have confirmed that there are no GPOs other than the default domain
> policy that contain configuration settings for account lockout.
>
> The account is not the built-in Admin account, but a user account which is a
> member of the Domain Admins group. Other members of the same group with the
> same account configuration have been locked out due to incorrect password
> entry, so it is a mystery why this account remains unlocked after so many
> logon failures
>
> "Roger Abell [MVP]" wrote:
>
> >
> > "Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
> > news:AA92B332-4F0C-40C0-BC9E-E57E3C5D9ED0@microsoft.com...
> > > Hi
> > > I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
> > > workstations are XP SP2, and all domain controllers are 2003 server. The
> > > default domain group policy defines the account lockout policy at a
> > > threshold
> > > of 6 failed logons.
> > > Recently I have noticed a large number of failed logons for a user who has
> > > Domain Admins membership. With 1154 failures in 2 days, I would have
> > > expected
> > > the account to have been locked out but it isn't. The failures are all
> > > 529/Type 3. I have checked for settings that block inheritance of the
> > > default
> > > domain policy but there are none. How can the account have failed logon so
> > > many times and not triggered the lockout?
> >
> > So I will assume your check also confirmed that the setting is not
> > being defined in a higher priority (than the default domain GPO)
> > GPO linked to the domain.
> > Is the account the built-in Administrator (possibly renamed)?
> >
> > Roger
> >
> >
> >
 
R

Roger Abell [MVP]

"Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
news:8FB35C4E-6A4A-43D2-825C-7ADB40BFD81E@microsoft.com...
> Update -- I have found an event which indicates that Group Policy
> processing
> was aborted as the domain could not be contacted due to invalid
> credentials
> being supplied. I guess that if the GP relies on authenticated connection
> to
> the domain, and the wrong password is supplied for the user then group
> policies will not be applied and the failed logons would not trip the
> lockout
> threahold - can anyone confirm that this is the case?
>

I cannot confirm that is / is not the case, but it is highly improbable.
Account policies are set domain-wide, by the domain controllers.
Access to the GPO at the client login station would not prevent the
domain controllers from "knowing" the current account policies.
However, account lockout is dependent on communications between
DCs with the PDC FSMO which does the actual locking. All the same,
as only this account is noticed as not locking, or at least as others are
known to be locking as expected, I think one needs to look further for
the cause. From what you stated, that the domain could not be contacted
I take it that you are looking at security event logs on the member rather
than on the domain controllers ? If so, then lockout is not happening as
no one is telling the PDC FSMO to bump the count of invalid login
attempts.

> "Qu33n Bee" wrote:
>
>> Yes, I have confirmed that there are no GPOs other than the default
>> domain
>> policy that contain configuration settings for account lockout.
>>
>> The account is not the built-in Admin account, but a user account which
>> is a
>> member of the Domain Admins group. Other members of the same group with
>> the
>> same account configuration have been locked out due to incorrect password
>> entry, so it is a mystery why this account remains unlocked after so many
>> logon failures
>>
>> "Roger Abell [MVP]" wrote:
>>
>> >
>> > "Qu33n Bee" <Qu33nBee@discussions.microsoft.com> wrote in message
>> > news:AA92B332-4F0C-40C0-BC9E-E57E3C5D9ED0@microsoft.com...
>> > > Hi
>> > > I am security auditor for a Windows 2003/2000 mixed-mode domain.
>> > > Client
>> > > workstations are XP SP2, and all domain controllers are 2003 server.
>> > > The
>> > > default domain group policy defines the account lockout policy at a
>> > > threshold
>> > > of 6 failed logons.
>> > > Recently I have noticed a large number of failed logons for a user
>> > > who has
>> > > Domain Admins membership. With 1154 failures in 2 days, I would have
>> > > expected
>> > > the account to have been locked out but it isn't. The failures are
>> > > all
>> > > 529/Type 3. I have checked for settings that block inheritance of the
>> > > default
>> > > domain policy but there are none. How can the account have failed
>> > > logon so
>> > > many times and not triggered the lockout?
>> >
>> > So I will assume your check also confirmed that the setting is not
>> > being defined in a higher priority (than the default domain GPO)
>> > GPO linked to the domain.
>> > Is the account the built-in Administrator (possibly renamed)?
>> >
>> > Roger
>> >
>> >
>> >
 
A

Anteaus

A standard policy affects the workstation, whereas if the user is
authenticating to the server, it's up to the server to decide when to stop
accepting bad logons.This is determined by the domain-controller's own
policies or account-security settings.
 
You must log in or register to reply here.

Similar threads

H
My Work account keeps getting locked because my personal outlook account tried to log into it
Replies
0
Views
49
Hisham Q
H
J
My hard drive is locked out, no bitlocker key
Replies
0
Views
42
John Hellyer
J
T
Locked out of microsoft account on windows. Instructs to reset password online, but I did and the password change will not interface to my laptop.
Replies
0
Views
29
Taylor McCoy1
T
K
Domain account getting locked - blank Computer name field in event 4740
Replies
0
Views
130
Kapi_1
K
A
Windows 10 Locked Out (User Account Service failed)
Replies
0
Views
50
AbsorbDorito
A
Back
Top Bottom