Account should be locked out.....but isn't!

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Account should be locked out.....but isn't!

Qu33n Bee

08-20-2007

Re: Account should be locked out.....but isn't!

Roger Abell [MV...

08-21-2007

Re: Account should be locked out.....but isn't!

Qu3

08-21-2007

Re: Account should be locked out.....but isn't!

Qu3

08-21-2007

Re: Account should be locked out.....but isn't!

Qu3

08-21-2007

Re: Account should be locked out.....but isn't!

Roger Abell [MV...

08-21-2007

RE: Account should be locked out.....but isn't!

Ant

08-23-2007

Posted by =?Utf-8?B?UXUzM24gQmVl?= on August 20, 2007, 10:34 am

If you were Registered and logged in, you could reply and use other advanced thread options

Hi
I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
workstations are XP SP2, and all domain controllers are 2003 server. The
default domain group policy defines the account lockout policy at a threshold
of 6 failed logons.
Recently I have noticed a large number of failed logons for a user who has
Domain Admins membership. With 1154 failures in 2 days, I would have expected
the account to have been locked out but it isn't. The failures are all
529/Type 3. I have checked for settings that block inheritance of the default
domain policy but there are none. How can the account have failed logon so
many times and not triggered the lockout?

Posted by Roger Abell [MVP] on August 21, 2007, 2:35 am

If you were Registered and logged in, you could reply and use other advanced thread options

> Hi

> I am security auditor for a Windows 2003/2000 mixed-mode domain. Client

> workstations are XP SP2, and all domain controllers are 2003 server. The

> default domain group policy defines the account lockout policy at a

> threshold

> of 6 failed logons.

> Recently I have noticed a large number of failed logons for a user who has

> Domain Admins membership. With 1154 failures in 2 days, I would have

> expected

> the account to have been locked out but it isn't. The failures are all

> 529/Type 3. I have checked for settings that block inheritance of the

> default

> domain policy but there are none. How can the account have failed logon so

> many times and not triggered the lockout?

So I will assume your check also confirmed that the setting is not
being defined in a higher priority (than the default domain GPO)
GPO linked to the domain.
Is the account the built-in Administrator (possibly renamed)?

Roger

Posted by =?Utf-8?B?UXUzM24gQmVl?= on August 21, 2007, 4:36 am

If you were Registered and logged in, you could reply and use other advanced thread options

Yes, I have checked and there are no GPOs that apply to this account that
define lockout policy other than the default domain policy. This is not the
built-in Admin account, but a user account which is a member of the Domain
Admins group. Other members of the same group, with the same account
configuration have been locked out due to incorrect password entry so it is a
mystery as to why this account was not locked out.

Posted by =?Utf-8?B?UXUzM24gQmVl?= on August 21, 2007, 4:38 am

If you were Registered and logged in, you could reply and use other advanced thread options

Yes, I have confirmed that there are no GPOs other than the default domain
policy that contain configuration settings for account lockout.

The account is not the built-in Admin account, but a user account which is a
member of the Domain Admins group. Other members of the same group with the
same account configuration have been locked out due to incorrect password
entry, so it is a mystery why this account remains unlocked after so many
logon failures

"Roger Abell [MVP]" wrote:

> > Hi

> > I am security auditor for a Windows 2003/2000 mixed-mode domain. Client

> > workstations are XP SP2, and all domain controllers are 2003 server. The

> > default domain group policy defines the account lockout policy at a

> > threshold

> > of 6 failed logons.

> > Recently I have noticed a large number of failed logons for a user who has

> > Domain Admins membership. With 1154 failures in 2 days, I would have

> > expected

> > the account to have been locked out but it isn't. The failures are all

> > 529/Type 3. I have checked for settings that block inheritance of the

> > default

> > domain policy but there are none. How can the account have failed logon so

> > many times and not triggered the lockout?

> So I will assume your check also confirmed that the setting is not

> being defined in a higher priority (than the default domain GPO)

> GPO linked to the domain.

> Is the account the built-in Administrator (possibly renamed)?

> Roger

Posted by =?Utf-8?B?UXUzM24gQmVl?= on August 21, 2007, 7:26 am

If you were Registered and logged in, you could reply and use other advanced thread options

Update -- I have found an event which indicates that Group Policy processing
was aborted as the domain could not be contacted due to invalid credentials
being supplied. I guess that if the GP relies on authenticated connection to
the domain, and the wrong password is supplied for the user; then group
policies will not be applied and the failed logons would not trip the lockout
threahold - can anyone confirm that this is the case?

"Qu33n Bee" wrote:

> Yes, I have confirmed that there are no GPOs other than the default domain

> policy that contain configuration settings for account lockout.

> The account is not the built-in Admin account, but a user account which is a

> member of the Domain Admins group. Other members of the same group with the

> same account configuration have been locked out due to incorrect password

> entry, so it is a mystery why this account remains unlocked after so many

> logon failures

> "Roger Abell [MVP]" wrote:

> >

> > > Hi

> > > I am security auditor for a Windows 2003/2000 mixed-mode domain. Client

> > > workstations are XP SP2, and all domain controllers are 2003 server. The

> > > default domain group policy defines the account lockout policy at a

> > > threshold

> > > of 6 failed logons.

> > > Recently I have noticed a large number of failed logons for a user who has

> > > Domain Admins membership. With 1154 failures in 2 days, I would have

> > > expected

> > > the account to have been locked out but it isn't. The failures are all

> > > 529/Type 3. I have checked for settings that block inheritance of the

> > > default

> > > domain policy but there are none. How can the account have failed logon so

> > > many times and not triggered the lockout?

> >

> > So I will assume your check also confirmed that the setting is not

> > being defined in a higher priority (than the default domain GPO)

> > GPO linked to the domain.

> > Is the account the built-in Administrator (possibly renamed)?

> >

> > Roger

> >

Similar Threads	Posted
Account locked	July 28, 2006, 5:28 pm
Account is always locked out	August 16, 2006, 12:27 pm
IUSER Account gets locked	July 14, 2005, 2:32 pm
Locked out of Hotmail Account	July 29, 2005, 1:57 pm
Account Locked out but Not Logs to Check	December 28, 2006, 7:54 pm
User unlocking a locked account while bypassing the audit.	April 24, 2006, 7:22 pm
Locked out of p.c	December 18, 2005, 3:25 pm
HELP-locked out	April 17, 2006, 9:03 pm
Locked out of	November 12, 2007, 2:08 pm
bios locked up	April 24, 2007, 6:12 pm

The site map in XML format XML site map