Account should be locked out.....but isn't!

Discussion in 'Security Software' started by Qu33n Bee, Aug 20, 2007.

  1. Qu33n Bee

    Qu33n Bee Guest

    Hi
    I am security auditor for a Windows 2003/2000 mixed-mode domain. Client
    workstations are XP SP2, and all domain controllers are 2003 server. The
    default domain group policy defines the account lockout policy at a threshold
    of 6 failed logons.
    Recently I have noticed a large number of failed logons for a user who has
    Domain Admins membership. With 1154 failures in 2 days, I would have expected
    the account to have been locked out but it isn't. The failures are all
    529/Type 3. I have checked for settings that block inheritance of the default
    domain policy but there are none. How can the account have failed logon so
    many times and not triggered the lockout?
     
    Qu33n Bee, Aug 20, 2007
    #1
    1. Advertisements

  2. So I will assume your check also confirmed that the setting is not
    being defined in a higher priority (than the default domain GPO)
    GPO linked to the domain.
    Is the account the built-in Administrator (possibly renamed)?

    Roger
     
    Roger Abell [MVP], Aug 21, 2007
    #2
    1. Advertisements

  3. Qu33n Bee

    Qu33n Bee Guest

    Yes, I have checked and there are no GPOs that apply to this account that
    define lockout policy other than the default domain policy. This is not the
    built-in Admin account, but a user account which is a member of the Domain
    Admins group. Other members of the same group, with the same account
    configuration have been locked out due to incorrect password entry so it is a
    mystery as to why this account was not locked out.
     
    Qu33n Bee, Aug 21, 2007
    #3
  4. Qu33n Bee

    Qu33n Bee Guest

    Yes, I have confirmed that there are no GPOs other than the default domain
    policy that contain configuration settings for account lockout.

    The account is not the built-in Admin account, but a user account which is a
    member of the Domain Admins group. Other members of the same group with the
    same account configuration have been locked out due to incorrect password
    entry, so it is a mystery why this account remains unlocked after so many
    logon failures
     
    Qu33n Bee, Aug 21, 2007
    #4
  5. Qu33n Bee

    Qu33n Bee Guest

    Update -- I have found an event which indicates that Group Policy processing
    was aborted as the domain could not be contacted due to invalid credentials
    being supplied. I guess that if the GP relies on authenticated connection to
    the domain, and the wrong password is supplied for the user; then group
    policies will not be applied and the failed logons would not trip the lockout
    threahold - can anyone confirm that this is the case?
     
    Qu33n Bee, Aug 21, 2007
    #5
  6. I cannot confirm that is / is not the case, but it is highly improbable.
    Account policies are set domain-wide, by the domain controllers.
    Access to the GPO at the client login station would not prevent the
    domain controllers from "knowing" the current account policies.
    However, account lockout is dependent on communications between
    DCs with the PDC FSMO which does the actual locking. All the same,
    as only this account is noticed as not locking, or at least as others are
    known to be locking as expected, I think one needs to look further for
    the cause. From what you stated, that the domain could not be contacted
    I take it that you are looking at security event logs on the member rather
    than on the domain controllers ? If so, then lockout is not happening as
    no one is telling the PDC FSMO to bump the count of invalid login
    attempts.
     
    Roger Abell [MVP], Aug 21, 2007
    #6
  7. Qu33n Bee

    Anteaus Guest

    A standard policy affects the workstation, whereas if the user is
    authenticating to the server, it's up to the server to decide when to stop
    accepting bad logons.This is determined by the domain-controller's own
    policies or account-security settings.
     
    Anteaus, Aug 23, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.