Server 2012, Windows 7 and Account Lockout

Firstly 'Hello' everyone, hope someone can give me a pointer in the right direction........

About 6 weeks ago I migrated our DCs from 2008 R2 to 2012, all well swimmingly well, couple of minor issues which were easily resolved.

Today however it was bought to my attention that accounts were locking out after 6 failed password attempts. Now I did have this configured under 2008 R2, so naturally I assumed I could go into the GPO and change that.

I work at a school, this time of year we have the Year 5's coming in for a 'taster' day so rather then create 60 individual accounts, I provide a single generic student account which they can use in the suites.

Unfortunately a couple of the little chaps got the password wrong which locked the account, so to make life easier for the staff I wanted to turn off the account lockout......this is where the fun started.

When I examined the GPOs, even though settings for password complexity etc were present , all the setting for account lockout were not configured. Historically by default these GPO were set at the domain level. I then checked the nested OUs to see if the account lockout had been configured there.......it hadn't.

When I run secpol on the client machine it clearly shows there is no account lockout policy set, same result if I run a RSOP logging.

To ensure it wasn't an account issue I used a couple of the other accounts - same result.

So I setup logging, here is an extract from the 'winlogon' log, any help would be greatly appreciated.

Make a local copy of \\xxx.somerset.gov.uk\sysvol\xxx.somerset.gov.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\xxx.somerset.gov.uk\SysVol\xxx.somerset.gov.uk\Policies\{F7E96668-4F42-48C6-9653-9FB153E7E4EA}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\xxx.somerset.gov.uk\SysVol\xxx.somerset.gov.uk\Policies\{ED3526CE-497E-41D4-9954-CDA202D7CB48}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00000.dom.
 Copy undo values to the merged policy.

----Un-initialize configuration engine...

Process GP template gpt00001.inf.

This is not the last GPO.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00001.inf.

----Un-initialize configuration engine...

Process GP template gpt00002.inf.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00002.inf.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...

----Configure User Rights...
  Error assigning SeSystemtimePrivilege to Administrators account. This setting may block administrators from logging on interactively.
  There is already an undo value for group policy setting <SeMachineAccountPrivilege>.
  There is already an undo value for group policy setting <SeBackupPrivilege>.
  There is already an undo value for group policy setting <SeSystemtimePrivilege>.
  There is already an undo value for group policy setting <SeCreatePagefilePrivilege>.
  There is already an undo value for group policy setting <SeCreatePermanentPrivilege>.
  There is already an undo value for group policy setting <SeDebugPrivilege>.
  There is already an undo value for group policy setting <SeRemoteShutdownPrivilege>.
  There is already an undo value for group policy setting <SeAuditPrivilege>.
  There is already an undo value for group policy setting <SeIncreaseBasePriorityPrivilege>.
  There is already an undo value for group policy setting <SeServiceLogonRight>.
  There is already an undo value for group policy setting <SeInteractiveLogonRight>.
  There is already an undo value for group policy setting <SeSecurityPrivilege>.
  There is already an undo value for group policy setting <SeSystemEnvironmentPrivilege>.
  There is already an undo value for group policy setting <SeProfileSingleProcessPrivilege>.
  There is already an undo value for group policy setting <SeSystemProfilePrivilege>.
  There is already an undo value for group policy setting <SeRestorePrivilege>.
  There is already an undo value for group policy setting <SeTakeOwnershipPrivilege>.
  There is already an undo value for group policy setting <SeDenyInteractiveLogonRight>.
  There is already an undo value for group policy setting <SeRemoteInteractiveLogonRight>.
 Configure S-1-5-20.
  remove SeAuditPrivilege.
Error 50: The request is not supported.
 Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
  remove SeAuditPrivilege.
Configuring SeAuditPrivilege for this account is not supported.
 Configure S-1-5-21-3674901190-3434711979-3236415797-1002.
  remove SeServiceLogonRight.
 Configure S-1-5-32-544.
 Configure S-1-5-32-549.
 Configure S-1-5-32-551.
 Configure S-1-5-21-2305780114-2822244767-3400383141-1109.
 Configure S-1-5-21-2305780114-2822244767-3400383141-1126.
 Configure S-1-5-21-2305780114-2822244767-3400383141-512.
 Configure S-1-5-21-2305780114-2822244767-3400383141-13139.
 Configure S-1-5-32-548.
 Configure S-1-5-21-2305780114-2822244767-3400383141-5651.
 Configure S-1-5-21-2305780114-2822244767-3400383141-13616.
 Configure S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420.
 Configure S-1-5-19.
  remove SeAuditPrivilege.
Error 50: The request is not supported.
 Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
  remove SeAuditPrivilege.
Configuring SeAuditPrivilege for this account is not supported.

 User Rights configuration was completed successfully.

----Configure Group Membership...
 Configure xxx\Domain Admins.
  old memberof tattoo list: *S-1-5-32-544,
  object already member of Administrators.
  new memberof tattoo list: *S-1-5-32-544,
 Configure xxx\gsglocaladmins.
  old memberof tattoo list: *S-1-5-32-544,
  object already member of Administrators.
  new memberof tattoo list: *S-1-5-32-544,

 Group Membership configuration was completed successfully.

----Configure Security Policy...
  Start processing undo values for 6 settings.
  There is already an undo value for group policy setting <MinimumPasswordLength>.
  There is already an undo value for group policy setting <PasswordHistorySize>.
  There is already an undo value for group policy setting <MaximumPasswordAge>.
  There is already an undo value for group policy setting <MinimumPasswordAge>.
  There is already an undo value for group policy setting <PasswordComplexity>.
  There is already an undo value for group policy setting <ClearTextPassword>.
 Configure password information.
  Start processing undo values for 3 settings.
  There is already an undo value for group policy setting <LockoutBadCount>.
  There is already an undo value for group policy setting <NewAdministratorName>.
 Rename the Administrator account to xxxxxxxx.
  There is already an undo value for group policy setting <NewGuestName>.
 Rename the Guest account to xxxxxxxxx.
  There is already an undo value for group policy setting <EnableGuestAccount>.
 Guest account is disabled.

 System Access configuration was completed successfully.
 Configure machine\software\microsoft\driver signing\policy.
  There is already an undo value for group policy setting <machine\software\microsoft\driver signing\policy>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\disablecad.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\disablecad>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext>.
 Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous>.
 Configure machine\system\currentcontrolset\control\lsa\submitcontrol.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\submitcontrol>.
 Configure machine\system\currentcontrolset\control\session manager\protectionmode.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\session manager\protectionmode>.
 Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature>.
 Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature>.

 Configuration of Registry Values was completed successfully.

 Audit/Log configuration was completed successfully.

----Configure available attachment engines...

 Configuration of attachment engines was completed successfully.

----Un-initialize configuration engine...