Account Lockout Policy - Powershell cannot detect it

11-08-2007

Here is the script. I will explain more at the bottom of script.

=========
function display ($x)
{
## password lock out threshold
$pw_lockoutthreshold = $x.properties.lockoutthreshold

## Locked out observation in minutes
$pw_lockoutobservation= New-Object
System.TimeSpan([System.Math]::ABS($x.properties["lockoutobservationwindow"][0]))
$pw_lockoutobservation_minutes = $pw_lockoutobservation.totalseconds/60

## Reset Account lockout counter after
$pw_lockout_duration= New-Object
System.TimeSpan([System.Math]::ABS($x.properties["lockoutduration"][0]))
#$pw_lockout_duration= New-Object
System.TimeSpan($x.properties["lockoutduration"][0])

write-host "Lock Out Threshold: `t" $pw_lockoutthreshold " invalid logon
attempts"
write-host "Reset Account lockout counter after: `t"
$pw_lockoutobservation_minutes " minutes"

if ($pw_lockout_duration.TotalMinutes -gt 0 -and
$pw_lockout_duration.TotalMinutes -lt 99999)
{write-host "Account LockOut Duration: `t"
$pw_lockout_duration.TotalMinutes " minutes"}
else
{write-host "Account LockOut Duration: `t Administrator must manually
unlock locked accounts"}
}
}

cls
$current_dom =
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $current_dom.GetDirectoryEntry()
## get the current domain account policy
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(objectclass=*)"
$result = $search.FindOne()

## display domain policy
display $result
=========
It works fine under this situation :
Lock Out Threshold : 5
Reset Account lockout counter after 80 min
Account LockOut Duration 50 min

But if i set the domain security policy on Lock Out Threshold to 0, and
which the group policy "suggested* Reset Account lockout and ount LockOut
Duration = "not defined", the scripts still display the minutes in 80 and 50
mins respectively (they retain old values especaully when threshold set to
0).

How can i make the script to accept *latest* value ?

11-08-2007

Which GPO are you setting these in? The settings only work in a policy
linked at the Domain level. After changing the settings did you refresh the
policy? It can take 90 minutes +\- soemthing to refresh the policy on a
workstation

Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk

"James" wrote:

	Quote:
	> Here is the script. I will explain more at the bottom of script. > > ========= > function display ($x) > { > ## password lock out threshold > $pw_lockoutthreshold = $x.properties.lockoutthreshold > > ## Locked out observation in minutes > $pw_lockoutobservation= New-Object > System.TimeSpan([System.Math]::ABS($x.properties["lockoutobservationwindow"][0])) > $pw_lockoutobservation_minutes = $pw_lockoutobservation.totalseconds/60 > > ## Reset Account lockout counter after > $pw_lockout_duration= New-Object > System.TimeSpan([System.Math]::ABS($x.properties["lockoutduration"][0])) > #$pw_lockout_duration= New-Object > System.TimeSpan($x.properties["lockoutduration"][0]) > > write-host "Lock Out Threshold: `t" $pw_lockoutthreshold " invalid logon > attempts" > write-host "Reset Account lockout counter after: `t" > $pw_lockoutobservation_minutes " minutes" > > if ($pw_lockout_duration.TotalMinutes -gt 0 -and > $pw_lockout_duration.TotalMinutes -lt 99999) > {write-host "Account LockOut Duration: `t" > $pw_lockout_duration.TotalMinutes " minutes"} > else > {write-host "Account LockOut Duration: `t Administrator must manually > unlock locked accounts"} > } > } > > cls > $current_dom = > [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() > $root = $current_dom.GetDirectoryEntry() > ## get the current domain account policy > $search = [System.DirectoryServices.DirectorySearcher]$root > $search.Filter = "(objectclass=)" > $result = $search.FindOne() > > ## display domain policy > display $result > ========= > It works fine under this situation : > Lock Out Threshold : 5 > Reset Account lockout counter after 80 min > Account LockOut Duration 50 min > > But if i set the domain security policy on Lock Out Threshold to 0, and > which the group policy "suggested Reset Account lockout and ount LockOut > Duration = "not defined", the scripts still display the minutes in 80 and 50 > mins respectively (they retain old values especaully when threshold set to > 0). > > How can i make the script to accept latest value ? > > > > > > > > > >

11-10-2007

gpupdate /force at Domain controller
gpupdate /force at workstation immediately

"RichS" <RichS@xxxxxx> wrote in message
news:4A089E59-D71F-4F26-8429-96FA30038B7A@xxxxxx

Quote:

> Which GPO are you setting these in? The settings only work in a policy
> linked at the Domain level. After changing the settings did you refresh
> the
> policy? It can take 90 minutes +\- soemthing to refresh the policy on a
> workstation
>
> Richard Siddaway
> Please note that all scripts are supplied "as is" and with no warranty
> Blog: http://richardsiddaway.spaces.live.com/
> PowerShell User Group: http://www.get-psuguk.org.uk
>
>
> "James" wrote:
>

	Quote:
	>> Here is the script. I will explain more at the bottom of script. >> >> ========= >> function display ($x) >> { >> ## password lock out threshold >> $pw_lockoutthreshold = $x.properties.lockoutthreshold >> >> ## Locked out observation in minutes >> $pw_lockoutobservation= New-Object >> System.TimeSpan([System.Math]::ABS($x.properties["lockoutobservationwindow"][0])) >> $pw_lockoutobservation_minutes = $pw_lockoutobservation.totalseconds/60 >> >> ## Reset Account lockout counter after >> $pw_lockout_duration= New-Object >> System.TimeSpan([System.Math]::ABS($x.properties["lockoutduration"][0])) >> #$pw_lockout_duration= New-Object >> System.TimeSpan($x.properties["lockoutduration"][0]) >> >> write-host "Lock Out Threshold: `t" $pw_lockoutthreshold " invalid logon >> attempts" >> write-host "Reset Account lockout counter after: `t" >> $pw_lockoutobservation_minutes " minutes" >> >> if ($pw_lockout_duration.TotalMinutes -gt 0 -and >> $pw_lockout_duration.TotalMinutes -lt 99999) >> {write-host "Account LockOut Duration: `t" >> $pw_lockout_duration.TotalMinutes " minutes"} >> else >> {write-host "Account LockOut Duration: `t Administrator must manually >> unlock locked accounts"} >> } >> } >> >> cls >> $current_dom = >> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() >> $root = $current_dom.GetDirectoryEntry() >> ## get the current domain account policy >> $search = [System.DirectoryServices.DirectorySearcher]$root >> $search.Filter = "(objectclass=)" >> $result = $search.FindOne() >> >> ## display domain policy >> display $result >> ========= >> It works fine under this situation : >> Lock Out Threshold : 5 >> Reset Account lockout counter after 80 min >> Account LockOut Duration 50 min >> >> But if i set the domain security policy on Lock Out Threshold to 0, and >> which the group policy "suggested Reset Account lockout and ount >> LockOut >> Duration = "not defined", the scripts still display the minutes in 80 and >> 50 >> mins respectively (they retain old values especaully when threshold set >> to >> 0). >> >> How can i make the script to accept latest value ? >> >> >> >> >> >> >> >> >> >>

11-13-2007

i ran the script at xp workstations and still gives same results .

Shld the script be ran at DC ?

"James" <jkklim@xxxxxx> wrote in message
news:On919F5IIHA.6108@xxxxxx

Quote:

> gpupdate /force at Domain controller
> gpupdate /force at workstation immediately
>
>
>
> "RichS" <RichS@xxxxxx> wrote in message
> news:4A089E59-D71F-4F26-8429-96FA30038B7A@xxxxxx

Quote:

>> Which GPO are you setting these in? The settings only work in a policy
>> linked at the Domain level. After changing the settings did you refresh
>> the
>> policy? It can take 90 minutes +\- soemthing to refresh the policy on a
>> workstation
>>
>> Richard Siddaway
>> Please note that all scripts are supplied "as is" and with no warranty
>> Blog: http://richardsiddaway.spaces.live.com/
>> PowerShell User Group: http://www.get-psuguk.org.uk
>>
>>
>> "James" wrote:
>>

	Quote:
	>>> Here is the script. I will explain more at the bottom of script. >>> >>> ========= >>> function display ($x) >>> { >>> ## password lock out threshold >>> $pw_lockoutthreshold = $x.properties.lockoutthreshold >>> >>> ## Locked out observation in minutes >>> $pw_lockoutobservation= New-Object >>> System.TimeSpan([System.Math]::ABS($x.properties["lockoutobservationwindow"][0])) >>> $pw_lockoutobservation_minutes = $pw_lockoutobservation.totalseconds/60 >>> >>> ## Reset Account lockout counter after >>> $pw_lockout_duration= New-Object >>> System.TimeSpan([System.Math]::ABS($x.properties["lockoutduration"][0])) >>> #$pw_lockout_duration= New-Object >>> System.TimeSpan($x.properties["lockoutduration"][0]) >>> >>> write-host "Lock Out Threshold: `t" $pw_lockoutthreshold " invalid logon >>> attempts" >>> write-host "Reset Account lockout counter after: `t" >>> $pw_lockoutobservation_minutes " minutes" >>> >>> if ($pw_lockout_duration.TotalMinutes -gt 0 -and >>> $pw_lockout_duration.TotalMinutes -lt 99999) >>> {write-host "Account LockOut Duration: `t" >>> $pw_lockout_duration.TotalMinutes " minutes"} >>> else >>> {write-host "Account LockOut Duration: `t Administrator must manually >>> unlock locked accounts"} >>> } >>> } >>> >>> cls >>> $current_dom = >>> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() >>> $root = $current_dom.GetDirectoryEntry() >>> ## get the current domain account policy >>> $search = [System.DirectoryServices.DirectorySearcher]$root >>> $search.Filter = "(objectclass=)" >>> $result = $search.FindOne() >>> >>> ## display domain policy >>> display $result >>> ========= >>> It works fine under this situation : >>> Lock Out Threshold : 5 >>> Reset Account lockout counter after 80 min >>> Account LockOut Duration 50 min >>> >>> But if i set the domain security policy on Lock Out Threshold to 0, and >>> which the group policy "suggested Reset Account lockout and ount >>> LockOut >>> Duration = "not defined", the scripts still display the minutes in 80 >>> and 50 >>> mins respectively (they retain old values especaully when threshold set >>> to >>> 0). >>> >>> How can i make the script to accept latest value ? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>

>
>

11-08-2007	#1 (permalink)
James Guest	Account Lockout Policy - Powershell cannot detect it Here is the script. I will explain more at the bottom of script. ========= function display ($x) { ## password lock out threshold $pw_lockoutthreshold = $x.properties.lockoutthreshold ## Locked out observation in minutes $pw_lockoutobservation= New-Object System.TimeSpan([System.Math]::ABS($x.properties["lockoutobservationwindow"][0])) $pw_lockoutobservation_minutes = $pw_lockoutobservation.totalseconds/60 ## Reset Account lockout counter after $pw_lockout_duration= New-Object System.TimeSpan([System.Math]::ABS($x.properties["lockoutduration"][0])) #$pw_lockout_duration= New-Object System.TimeSpan($x.properties["lockoutduration"][0]) write-host "Lock Out Threshold: `t" $pw_lockoutthreshold " invalid logon attempts" write-host "Reset Account lockout counter after: `t" $pw_lockoutobservation_minutes " minutes" if ($pw_lockout_duration.TotalMinutes -gt 0 -and $pw_lockout_duration.TotalMinutes -lt 99999) {write-host "Account LockOut Duration: `t" $pw_lockout_duration.TotalMinutes " minutes"} else {write-host "Account LockOut Duration: `t Administrator must manually unlock locked accounts"} } } cls $current_dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $root = $current_dom.GetDirectoryEntry() ## get the current domain account policy $search = [System.DirectoryServices.DirectorySearcher]$root $search.Filter = "(objectclass=)" $result = $search.FindOne() ## display domain policy display $result ========= It works fine under this situation : Lock Out Threshold : 5 Reset Account lockout counter after 80 min Account LockOut Duration 50 min But if i set the domain security policy on Lock Out Threshold to 0, and which the group policy "suggested Reset Account lockout and ount LockOut Duration = "not defined", the scripts still display the minutes in 80 and 50 mins respectively (they retain old values especaully when threshold set to 0). How can i make the script to accept latest value ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Admin Account Lockout	EricLoadwick	Vista account administration	8	3 Weeks Ago 01:48 PM
Novell Client for Vista account lockout problem	tandrist	Vista networking & sharing	0	03-04-2008 07:17 AM
vista password change account lockout	Bob Moore	Vista networking & sharing	0	06-20-2007 12:38 PM
Vista caching passwords causes domain account lockout...	putt454@yahoo.com	Vista networking & sharing	5	05-17-2007 01:09 PM
set Account Lockout policy with Vista Home Premium: how?	mikk	Vista security	3	03-22-2007 10:42 AM