Discussion:
Reset account lockout counter after
(too old to reply)
Ryan Sanders
2006-12-19 15:01:40 UTC
Permalink
After reading this I am unclear on what to set this value to in order to
accomplish my task.

http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true

I want to remember invalid login attempts forever, meaning if you ever
put in 3 invalid password over a period of 3 years your account is
locked. Sounds extreme I know, and I suspect this will change but for
now I need to know if/how this can be done.

99,999 minutes which is the max value is only about 69 days.
ahertenstein
2006-12-19 15:46:59 UTC
Permalink
Unfortunately without any 3rd party tools, to my knowledge, no. 99999 is
the max value, which turns the lockout duration to 99999 as well. I
always set this to "0" so it forces the admin to unlock the account.
The account will never auto unlock.

The only bad thing is that "0" doesn't work for the "Reset Account
lockout counter after" setting.
--
ahertenstein
------------------------------------------------------------------------
ahertenstein's Profile: http://forums.techarena.in/member.php?userid=19881
View this thread: http://forums.techarena.in/showthread.php?t=644962

http://forums.techarena.in
Richard Mueller
2006-12-19 16:58:19 UTC
Permalink
Post by Ryan Sanders
After reading this I am unclear on what to set this value to in order to
accomplish my task.
http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true
I want to remember invalid login attempts forever, meaning if you ever put
in 3 invalid password over a period of 3 years your account is locked.
Sounds extreme I know, and I suspect this will change but for now I need
to know if/how this can be done.
99,999 minutes which is the max value is only about 69 days.
The Group Policy Editor GUI restricts this setting to 99,999 minutes. The
corresponding lockoutObservationWindow attribute of the domain object is
Integer8. This means it is a 64-bit number representing 100-nanosecond
intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000 for
the lockoutObservationWindow attribute (the value is always negative). You
can check this with ADSI Edit. In truth, this is a small value for an
Integer8 attribute. The value can range from -2^63 to 2^63 - 1. The
attribute won't overflow until about -9.2 * 10^18, which corresponds to over
29,000 years.

Being conservative, I used ADSI Edit to alter the value of the
locktoutObservationWindow attribute for my domain to -32,000,000,000,000,000
(without the commas of course). This corresponds to just over 101 years. You
can select a larger value if you desire. As far as I can tell, there is no
problem doing this. Of course, I won't be able to verify the setting for
some time.

ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000
Server CD.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
Ryan Sanders
2006-12-19 17:28:29 UTC
Permalink
Richard-

This is perfect and excellent information. I have to ask where you
found such detailed info on this topic? This is the kind of in-depth
information that would prove invaluable!!!!!

Thanks so much!
Ryan
Post by Richard Mueller
Post by Ryan Sanders
After reading this I am unclear on what to set this value to in order to
accomplish my task.
http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true
I want to remember invalid login attempts forever, meaning if you ever put
in 3 invalid password over a period of 3 years your account is locked.
Sounds extreme I know, and I suspect this will change but for now I need
to know if/how this can be done.
99,999 minutes which is the max value is only about 69 days.
The Group Policy Editor GUI restricts this setting to 99,999 minutes. The
corresponding lockoutObservationWindow attribute of the domain object is
Integer8. This means it is a 64-bit number representing 100-nanosecond
intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000 for
the lockoutObservationWindow attribute (the value is always negative). You
can check this with ADSI Edit. In truth, this is a small value for an
Integer8 attribute. The value can range from -2^63 to 2^63 - 1. The
attribute won't overflow until about -9.2 * 10^18, which corresponds to over
29,000 years.
Being conservative, I used ADSI Edit to alter the value of the
locktoutObservationWindow attribute for my domain to -32,000,000,000,000,000
(without the commas of course). This corresponds to just over 101 years. You
can select a larger value if you desire. As far as I can tell, there is no
problem doing this. Of course, I won't be able to verify the setting for
some time.
ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000
Server CD.
Richard Mueller
2006-12-19 17:57:28 UTC
Permalink
Documentation on Integer8 attributes and how to handle them is lacking. Most
of the known information is in the newsgroups. Handling Integer8 values in
VBScript is discussed in this link on my web site:

http://www.rlmueller.net/Integer8Attributes.htm
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
Post by Ryan Sanders
Richard-
This is perfect and excellent information. I have to ask where you found
such detailed info on this topic? This is the kind of in-depth
information that would prove invaluable!!!!!
Thanks so much!
Ryan
Post by Richard Mueller
Post by Ryan Sanders
After reading this I am unclear on what to set this value to in order to
accomplish my task.
http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true
I want to remember invalid login attempts forever, meaning if you ever
put in 3 invalid password over a period of 3 years your account is
locked. Sounds extreme I know, and I suspect this will change but for
now I need to know if/how this can be done.
99,999 minutes which is the max value is only about 69 days.
The Group Policy Editor GUI restricts this setting to 99,999 minutes. The
corresponding lockoutObservationWindow attribute of the domain object is
Integer8. This means it is a 64-bit number representing 100-nanosecond
intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000
for the lockoutObservationWindow attribute (the value is always
negative). You can check this with ADSI Edit. In truth, this is a small
value for an Integer8 attribute. The value can range from -2^63 to 2^63 -
1. The attribute won't overflow until about -9.2 * 10^18, which
corresponds to over 29,000 years.
Being conservative, I used ADSI Edit to alter the value of the
locktoutObservationWindow attribute for my domain
to -32,000,000,000,000,000 (without the commas of course). This
corresponds to just over 101 years. You can select a larger value if you
desire. As far as I can tell, there is no problem doing this. Of course,
I won't be able to verify the setting for some time.
ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000
Server CD.
Joe Richards [MVP]
2006-12-21 21:06:35 UTC
Permalink
Note that while the value is int8, there is no guarantee what the
results will be internally to AD, there could be some hard limit. If I
get a chance I will go poke around and see if I can find out the next
time I am playing in the source. Best you test it...

Also note that bad attempts are cleared once you have a successful logon.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by Richard Mueller
Post by Ryan Sanders
After reading this I am unclear on what to set this value to in order to
accomplish my task.
http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true
I want to remember invalid login attempts forever, meaning if you ever put
in 3 invalid password over a period of 3 years your account is locked.
Sounds extreme I know, and I suspect this will change but for now I need
to know if/how this can be done.
99,999 minutes which is the max value is only about 69 days.
The Group Policy Editor GUI restricts this setting to 99,999 minutes. The
corresponding lockoutObservationWindow attribute of the domain object is
Integer8. This means it is a 64-bit number representing 100-nanosecond
intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000 for
the lockoutObservationWindow attribute (the value is always negative). You
can check this with ADSI Edit. In truth, this is a small value for an
Integer8 attribute. The value can range from -2^63 to 2^63 - 1. The
attribute won't overflow until about -9.2 * 10^18, which corresponds to over
29,000 years.
Being conservative, I used ADSI Edit to alter the value of the
locktoutObservationWindow attribute for my domain to -32,000,000,000,000,000
(without the commas of course). This corresponds to just over 101 years. You
can select a larger value if you desire. As far as I can tell, there is no
problem doing this. Of course, I won't be able to verify the setting for
some time.
ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000
Server CD.
Richard Mueller
2006-12-23 18:13:24 UTC
Permalink
I have seen accountExpires equal to 2^63 -1, which should be the max. This
happens when a user account has never had an expiration date. I think it
also happens if you assign -1 to accountExpires in ADSI. The largest
negative value I have tested (using ADSI Edit) is -32,000,000,000,000,000.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
Note that while the value is int8, there is no guarantee what the results
will be internally to AD, there could be some hard limit. If I get a
chance I will go poke around and see if I can find out the next time I am
playing in the source. Best you test it...
Also note that bad attempts are cleared once you have a successful logon.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by Richard Mueller
Post by Ryan Sanders
After reading this I am unclear on what to set this value to in order to
accomplish my task.
http://technet2.microsoft.com/WindowsServer/en/library/f047b2d2-2ac1-46dd-aed0-9f7eb9df14021033.mspx?mfr=true
I want to remember invalid login attempts forever, meaning if you ever
put in 3 invalid password over a period of 3 years your account is
locked. Sounds extreme I know, and I suspect this will change but for
now I need to know if/how this can be done.
99,999 minutes which is the max value is only about 69 days.
The Group Policy Editor GUI restricts this setting to 99,999 minutes. The
corresponding lockoutObservationWindow attribute of the domain object is
Integer8. This means it is a 64-bit number representing 100-nanosecond
intervals. 99,999 minutes corresponds to a value of -59,999,400,000,000
for the lockoutObservationWindow attribute (the value is always
negative). You can check this with ADSI Edit. In truth, this is a small
value for an Integer8 attribute. The value can range from -2^63 to 2^63 -
1. The attribute won't overflow until about -9.2 * 10^18, which
corresponds to over 29,000 years.
Being conservative, I used ADSI Edit to alter the value of the
locktoutObservationWindow attribute for my domain
to -32,000,000,000,000,000 (without the commas of course). This
corresponds to just over 101 years. You can select a larger value if you
desire. As far as I can tell, there is no problem doing this. Of course,
I won't be able to verify the setting for some time.
ADSI Edit is part of the Windows 2000 Support Tools on the Windows 2000
Server CD.
Loading...