We've played around with the account lockout policy but it did not turn out to be a great idea. We have one account that's being used by 100+ computers and every now and then it gets locked.
We weren't able to find out yet why it's being blocked or who's causing it but it happens every 30-90 minutes. This causes our render farm (computer farm) to lose access to the server.
We've changed the values affecting account lockout on the 'default domain policy' about 24h+ ago but it still seems to be active.
Any idea how I can permanently disable it?
Best Answer
You can disable account lockout policy by changing the "Account Lockout Threshhold" option to 0. However, if it's not working... it's not working, so that won't help you.
First, check your Group Policy Refresh Interval for both computers and users. They are in
Computer Configuration\Administrative Templates\System\Group PolicyandUser Configuration\Administrative Templates\System\Group Policy. The default is 90 minutes. Perhaps it's set for some absurdly high value.Next, run
gpupdate /forceat an elevated command prompt on some of the PCs in your domain and see if the policy is applied to them.Then, test other policies in the Default Domain Policy to make sure that they're being applied and that it's not a larger issue with Active Directory replication and application. If that's the case, you are well and truly hosed. =)
Finally, look into enabling debug logging for the Net Logon service. Once that's turned on, sift through the logs for bad password events. You should be able to see which computer is generating the event and track down the errant login process from there.