I have been troubleshooting our account lockout group policy which appeared to not be working. It turns out, that is it working for some users, but not for others. Upon further investigation, I used the lockoutstatus.exe tool to check the BadPwdCount values on all domain controllers. Some users will increment over "1" but most will not, even if I try bad passwords 15 or 20 times within the lockout windows. Here are more specifics:
4 Domain Controllers - all DC Type "GC".
3 - Windows Server 2008 Enterprise - SP2 -and- 1 - Windows Server 2008 R2 Enterprise SP1 (PDC Role)
Windows Domain Functional Level: Windows Server 2008
Group policy settings are defined within a separate policy (other than Default Domain Policy) and are not present within any other GPO.
Symptoms are still present if we move the settings to the DDP and disable the link to our separate Account Lockout GPO.
Policy Settings are confirmed at the workstation using "net accounts"
Setting: Account lockout duration - 22 minutes
Setting: Account lockout threshold - 7 invalid logon attempts
Setting: Reset account lockout counter after - 22 minutes
Bad passwords used are random characters or "blank" passwords to avoid the Password History (N-2) issues of old passwords not incrementing BadPwdCount.
When I poll the BadPwdCount attribute from the PDC for all of my users, I find that nearly 70% of my users have BadPwdCount currently at "0" and the other 30% are currently at "1" - which never resets back to "0".
There is currently no correlation between the accounts that have "0" or "1" values and whether they increment on successive bad password attempts. Some of each will only increment to 1 and and never get locked out while some of each will increment to the limit and get locked out. The same goes for domain administrator accounts and domain user accounts.
Has anyone else seen this happen in their organization? Suggestions on where I need to look to find out why BadPwdCount increments for some but not most of my users?
Any help would be hugely appreciated!
Thanks!