GPO account lockout policy not applying but other policies in GPO do

Question

I have a GPO that defines password policies and a logout policy after a set amount of invalid attempts:

I have ensured that this GPO is applied at domain level.

Password policies apply fine and function correctly. How come Account Lockout Policy does not?

Powershell Result:

Do you have any other Account Lockout Policies applied? Does the Policy apply to your Domain Controllers? — Dan, Dec 10 '17 at 18:27
Silly question, but how did you know it's not applying correctly? your answer might give us a clue on how to proceed. — Noor Khaldi, Dec 10 '17 at 18:27
I know it's not applying correctly because I've tested it by deliberately entering incorrect password 4+ times in a row. @NoorKhaldi — August Williams, Dec 10 '17 at 18:33
@Dan There are no other lockout policies applied. It does not apply to domain controllers. — August Williams, Dec 10 '17 at 18:33

score 1 · Answer 1 · answered Dec 10 '17 at 18:35

1

Based on your answer in the comments:

Failed password attempts on workstations or member servers that have been locked by using CTRL+ALT+DELETE or password-protected screen savers do not count as failed sign-in attempts unless Interactive logon: Require Domain Controller authentication to unlock workstation is set to Enabled. If Interactive logon: Require Domain Controller authentication to unlock workstation is enabled, repeated failed password attempts to unlock the workstation will count against the account lockout threshold.

https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx

answered Dec 10 '17 at 18:35

Noor Khaldi

3,869
3
19
28

I have tried this but no change. – August Williams Dec 10 '17 at 18:41
Instead of trying to use a wrong password 4 times, let's try to get the applied password policy using PowerShell: https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addefaultdomainpasswordpolicy?view=win10-ps will help you see what's happening, paste your findings here and lets compare against the GPO. – Noor Khaldi Dec 10 '17 at 19:18
I have used PowerShell and it turns out not all elements match the GPO, including the lockout threshold. See question for a screenshot of the output. – August Williams Dec 10 '17 at 19:50
Interesting, then try to set the elements again using PowerShell: https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-addefaultdomainpasswordpolicy?view=win10-ps – Noor Khaldi Dec 10 '17 at 20:16
I have managed to accomplish the same outcome with Active Directory Administrative Centre. What are the differences between password policies with a GPO and DSAC? Because both have the same level of customisation. I will try the GPO with powershell too. – August Williams Dec 10 '17 at 20:32

Marc · Answer 2 · 2020-01-19T18:06:18.427

You're mistaken. This policy does NOT have to be set for lockout to work on locked workstations. This ONLY applies: When cached credentials are used, any CHANGES THAT HAVE RECENTLY BEEN MADE made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process.

I have tested this and workstations that are simply locked will get locked out according to group policy.

GPO account lockout policy not applying but other policies in GPO do

2 Answers2