-
Title
User account does not lockout after 'X' number of invalid password entries. -
Description
If a user who is not registered with Password Manager (PM) attempts to register with PM via the “My Questions and Answer Profile” workflow they will be prompted to provide their domain password. However, the user is able to enter incorrect passwords indefinitely and will not be locked out in Active Directory.
-
Cause
The domain “Account Lockout Policy” is either not configured, enabled or deployed to the workstation. This can be confirmed on the client machine as follows
- Run “secpol.msc” from the command prompt
- Navigate to Account Policies > Account Lockout Policy
- Note the values for the three settings.
-
Resolution
Resolution
The “Account Lockout Policy” settings need to be configured and enabled in group policy and then deployed to the affected computers.
The default location of these settings in Group Policy Management Editor is
Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Test and verify that the account lockout works as expected.