Click here to get back home

Strong passwords and user locking?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Strong passwords and user locking? Linn Kubler 02-25-2008
Posted by Linn Kubler on February 25, 2008, 6:51 pm
Please log in for more thread options
 Hi,

I've been asked to force our users to use strong passwords with user
lockouts after a number of wrong attempts. So I started small and setup a
new OU and created a test user in it. I then created a goup policy,
associated it to my new OU and set the Account Lockout Threshold to 3, which
in turn set the duration and Reset Account Lockout Counter After to 30
minutes. The policy is linked to my OU and I'm filtering on Domain Users.

Now when I look at the settings of my group policy it doesn't show my
lockout settings and when I login as the test user it doesn't show this
policy in GPResults I've done a GPUPDATE but that didn't help. So what am
I missing? I suspect it's something obvious but I'm stumped once again.

Thanks in advance,
Linn



Posted by Anthony [MVP] on February 26, 2008, 3:03 am
Please log in for more thread options
 You need to set the account policy in the root of the domain.
There's a good article about it here:
http://technet2.microsoft.com/windowsserver/en/library/cda0eee3-a52e-4c1b-a9d7-0c70f122ada91033.mspx?mfr=true
and here:
http://technet2.microsoft.com/windowsserver/en/library/b04678d1-510f-48d3-8d10-dce2e61972d71033.mspx?mfr=true
Hope that helps,
Anthony
http://www.airdesk.co.uk


> Hi,
>
> I've been asked to force our users to use strong passwords with user
> lockouts after a number of wrong attempts. So I started small and setup a
> new OU and created a test user in it. I then created a goup policy,
> associated it to my new OU and set the Account Lockout Threshold to 3,
> which in turn set the duration and Reset Account Lockout Counter After to
> 30 minutes. The policy is linked to my OU and I'm filtering on Domain
> Users.
>
> Now when I look at the settings of my group policy it doesn't show my
> lockout settings and when I login as the test user it doesn't show this
> policy in GPResults I've done a GPUPDATE but that didn't help. So what
> am I missing? I suspect it's something obvious but I'm stumped once
> again.
>
> Thanks in advance,
> Linn
>



Posted by Linn Kubler on February 26, 2008, 11:31 am
Please log in for more thread options
Thanks for the help Anthony. But man, that means it's all or nothing, I
can't even test this before forcing it on everyone? I don't like that a
bit.

Thanks,
Linn

> You need to set the account policy in the root of the domain.
> There's a good article about it here:
>
http://technet2.microsoft.com/windowsserver/en/library/cda0eee3-a52e-4c1b-a9d7-0c70f122ada91033.mspx?mfr=true
> and here:
>
http://technet2.microsoft.com/windowsserver/en/library/b04678d1-510f-48d3-8d10-dce2e61972d71033.mspx?mfr=true
> Hope that helps,
> Anthony
> http://www.airdesk.co.uk
>
>
>> Hi,
>>
>> I've been asked to force our users to use strong passwords with user
>> lockouts after a number of wrong attempts. So I started small and setup
>> a new OU and created a test user in it. I then created a goup policy,
>> associated it to my new OU and set the Account Lockout Threshold to 3,
>> which in turn set the duration and Reset Account Lockout Counter After to
>> 30 minutes. The policy is linked to my OU and I'm filtering on Domain
>> Users.
>>
>> Now when I look at the settings of my group policy it doesn't show my
>> lockout settings and when I login as the test user it doesn't show this
>> policy in GPResults I've done a GPUPDATE but that didn't help. So what
>> am I missing? I suspect it's something obvious but I'm stumped once
>> again.
>>
>> Thanks in advance,
>> Linn
>>
>
>



Posted by Anthony [MVP] on February 26, 2008, 11:50 am
Please log in for more thread options
There's not a lot to test. The user's password will not be affected until it
expires, or you set it to be changed at next logon, so you can introduce it
that way and change it back if you don't like it.
Anthony,
http://www.airdesk.co.uk



> Thanks for the help Anthony. But man, that means it's all or nothing, I
> can't even test this before forcing it on everyone? I don't like that a
> bit.
>
> Thanks,
> Linn
>
>> You need to set the account policy in the root of the domain.
>> There's a good article about it here:
>>
http://technet2.microsoft.com/windowsserver/en/library/cda0eee3-a52e-4c1b-a9d7-0c70f122ada91033.mspx?mfr=true
>> and here:
>>
http://technet2.microsoft.com/windowsserver/en/library/b04678d1-510f-48d3-8d10-dce2e61972d71033.mspx?mfr=true
>> Hope that helps,
>> Anthony
>> http://www.airdesk.co.uk
>>
>>
>>> Hi,
>>>
>>> I've been asked to force our users to use strong passwords with user
>>> lockouts after a number of wrong attempts. So I started small and setup
>>> a new OU and created a test user in it. I then created a goup policy,
>>> associated it to my new OU and set the Account Lockout Threshold to 3,
>>> which in turn set the duration and Reset Account Lockout Counter After
>>> to 30 minutes. The policy is linked to my OU and I'm filtering on
>>> Domain Users.
>>>
>>> Now when I look at the settings of my group policy it doesn't show my
>>> lockout settings and when I login as the test user it doesn't show this
>>> policy in GPResults I've done a GPUPDATE but that didn't help. So what
>>> am I missing? I suspect it's something obvious but I'm stumped once
>>> again.
>>>
>>> Thanks in advance,
>>> Linn
>>>
>>
>>
>
>



Posted by Linn Kubler on February 26, 2008, 12:07 pm
Please log in for more thread options
You are right, not a lot to test on this side. However I did sort of want
to play around with scripting to give my managers a real easy way to reset
passwords and unlock users. That's the kind of testing I had in mind.

Thanks,
Linn

> There's not a lot to test. The user's password will not be affected until
> it expires, or you set it to be changed at next logon, so you can
> introduce it that way and change it back if you don't like it.
> Anthony,
> http://www.airdesk.co.uk
>
>
>
>> Thanks for the help Anthony. But man, that means it's all or nothing, I
>> can't even test this before forcing it on everyone? I don't like that a
>> bit.
>>
>> Thanks,
>> Linn
>>
>>> You need to set the account policy in the root of the domain.
>>> There's a good article about it here:
>>>
http://technet2.microsoft.com/windowsserver/en/library/cda0eee3-a52e-4c1b-a9d7-0c70f122ada91033.mspx?mfr=true
>>> and here:
>>>
http://technet2.microsoft.com/windowsserver/en/library/b04678d1-510f-48d3-8d10-dce2e61972d71033.mspx?mfr=true
>>> Hope that helps,
>>> Anthony
>>> http://www.airdesk.co.uk
>>>
>>>
>>>> Hi,
>>>>
>>>> I've been asked to force our users to use strong passwords with user
>>>> lockouts after a number of wrong attempts. So I started small and
>>>> setup a new OU and created a test user in it. I then created a goup
>>>> policy, associated it to my new OU and set the Account Lockout
>>>> Threshold to 3, which in turn set the duration and Reset Account
>>>> Lockout Counter After to 30 minutes. The policy is linked to my OU and
>>>> I'm filtering on Domain Users.
>>>>
>>>> Now when I look at the settings of my group policy it doesn't show my
>>>> lockout settings and when I login as the test user it doesn't show this
>>>> policy in GPResults I've done a GPUPDATE but that didn't help. So
>>>> what am I missing? I suspect it's something obvious but I'm stumped
>>>> once again.
>>>>
>>>> Thanks in advance,
>>>> Linn
>>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
strong passwords October 6, 2005, 11:02 am
Can I have two passwords for one user? June 6, 2007, 7:50 pm
Administrator account locking out April 1, 2006, 9:22 am
Locking folders but NOT files. How? January 5, 2007, 9:20 am
Locking Down Domain Controllers January 26, 2007, 4:46 am
IP of machine locking account? March 13, 2008, 8:49 am
Hacker locking my accounts March 16, 2008, 5:02 pm
Account locking vs. logon types January 2, 2006, 8:03 am
Keeping service accounts from locking October 13, 2006, 5:14 pm
Exporting Passwords January 15, 2006, 3:20 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap