Share via

Account lockout policy is not functioning on PCs joined to Active Directory

Satoshi Inagaki 40 Reputation points
2025-12-11T00:31:16.81+00:00

The account lockout policy configured for PCs joined to Active Directory is not functioning.

The detailed status is as follows:

■ Status of AD-joined client PCs
1.Even after several incorrect password attempts when signing in to the client PC,
the account does not get locked out.

2.In the Event Viewer security logs, the logon type is shown as 11,
indicating that the logon is occurring using cached credentials.

3.The client PCs are connected via Wi-Fi.

4.After confirming Wi-Fi connectivity following a successful logon,
we signed out once. Even when entering incorrect passwords again during sign-in,
the account still does not get locked out.

■ Status of the Active Directory server
1.The account lockout policy in the Default Domain Policy is configured as follows:

-Account lockout threshold: 5 attempts

-Reset account lockout counter after: 99,999 minutes

-Account lockout duration: 99,999 minutes

■ Other
-This issue is occurring on multiple devices.

We suspect that the issue may be caused by the clients logging on using cached credentials,
but we have not been able to identify the root cause.
If you have any insights or past cases related to this issue, we would appreciate your guidance.

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments
Answer accepted by question author
  1. Kate Pham (WICLOUD CORPORATION) 430 Reputation points Microsoft External Staff Moderator
    2025-12-11T02:15:31.9466667+00:00

    Hi Satoshi Inagaki,

    Greetings for the day!

    You might encounter the issue when configure a Group Policy with Account Policies (Lockout or Password Policy settings), but the settings are not taking effect as expected. This issue can affect Lockout Policy and Password Policy settings. Allow me to address it in bellow answer.

     

    Possible cause:

    Domain Controllers, by default, read Account Policies from the Default Domain Policy, making these the effective settings. People often misunderstand this behavior and apply conflicting Account Policies via GPOs at the OU level, unaware that only the Default Domain Policy settings will apply.

    To verify the effective Account Policies settings:

    Launch ADSIEdit.msc, connect to the "Default naming context" (domain partition), open the Properties of the base domain object, then go to the Attribute Editor.

    User's image

    Technically, Group Policies are applied in the order Local, Site, Domain, Organizational Unit (LSDOU), so an OU-level policy will take precedence over the Domain policy during group policy processing, therefore, the OU-level policy will appear to win on the target machine. If you check “net accounts” on that target machine, you would be able to see the Account Policy that the machine is applying. However, since account policies are processed at the Domain Controller, the settings that are respected are the Account Policy settings that the Domain Controller reads, which by default are the settings defined on the Default Domain Policy GPO. Therefore, if you need to apply more than one Lockout Policy or Password Policy in your environment, consider using Fine-Grained Password Policies.

    Account Policies - Windows 10 | Microsoft Learn

    Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).”

     

    If you believe this information adds some value, please feel free to click accept the answer so that your experience with the issue would help contribute to the whole community.

    Thanks, and regards!

    Kate.

     

Answer accepted by question author
  1. Q&A Assist
    2025-12-11T00:31:31.5833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The issue you are experiencing with the account lockout policy not functioning on AD-joined PCs may indeed be related to the use of cached credentials. When users log in using cached credentials (as indicated by the logon type 11 in the Event Viewer), the account lockout policy does not apply because the authentication is happening locally rather than against the domain controller.

    Here are some insights that could help you troubleshoot this issue:

    1. Cached Credentials: When a user logs in with cached credentials, the account lockout policy does not trigger because the authentication does not reach the domain controller. This means that even if incorrect passwords are entered multiple times, the lockout threshold configured in Active Directory will not be enforced.
    2. Network Connectivity: Ensure that the client PCs have reliable connectivity to the domain controller. If the connection is intermittent, it might lead to the system falling back on cached credentials.
    3. Account Lockout Policy Configuration: Verify that the account lockout policy is correctly applied to the Organizational Unit (OU) where the client PCs reside. Sometimes, policies may not propagate as expected due to inheritance or filtering settings.
    4. Testing with Direct Domain Authentication: To test if the lockout policy works, try logging in directly with domain credentials while ensuring that the client is connected to the network and can reach the domain controller. This will help confirm if the policy is functioning correctly when not using cached credentials.
    5. Group Policy Update: Run gpupdate /force on the client machines to ensure they are receiving the latest Group Policy settings from the domain.
    6. Event Logs: Check the security logs on the domain controller for any relevant events that might indicate issues with the application of the account lockout policy.

    If the problem persists after these checks, consider reviewing the Group Policy settings and ensuring that there are no conflicting policies that might affect the account lockout behavior.

    References:

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Satoshi Inagaki 40 Reputation points
    2025-12-11T02:53:33.9066667+00:00

    2**.Network Connectivity**: Ensure that the client PCs have reliable connectivity
    to the domain controller. If the connection is intermittent,
    it might lead to the system falling back on cached credentials.
    Is there a way to confirm this is a stable connection?

    4.Testing with Direct Domain Authentication: To test if the lockout policy works,
    try logging in directly with domain credentials while ensuring
    that the client is connected to the network and can reach the domain controller.
    This will help confirm if the policy is functioning correctly when not using cached credentials.
    Please tell me how to test with direct domain authentication.

    If you have any insights or past cases related to this issue, we would appreciate your guidance.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.