General discussion


Account Lockout

By ryansmith ·
Account Lockout


I am having the situation of Accounts automaticall being locked out.
It seems to be random and as far as I can tell it is not related to user problems.
We have A server 2003 environment but we are running XP, 2000, 98, 95 on both thin and fat clients.

If you have any suggestions to te problem or any other information I might read, please let me know.

Ryan Smith
SANBS - Network Admin

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

NTLM Authentication is the issue

by BFilmFan In reply to Account Lockout

This is a well-known issue in the Active Directory world. When a user authenticates in Active Directory, the first token is passed as Kerberos and then as NTLM hash. Thus any bad password actually counts as 2 strikes towards the bad password lockout number set by the domain security policy.

Microsoft recommends in mixed environments that this number be set to not less than 10. The recommendation of 3-5 is ONLY for pure Kerberos (meaning everything is a Microsoft system) environments.

There is an in-depth article here on this pehonomenon and how to troubleshoot it:

There are also a number of hot fixes available to address this issue for older systems:

I've seen this issue so many times at clients like State Farm, General Motors and the US Army Reserve that it simply isn't funny and always has been caused by security wanting the bad password count set to 3 cause that is what the lil papers all say it should be.

Related Discussions

Related Forums