Samba4 - Account lock out / GPO

Brian C. Huffman bhuffman at
Wed Dec 12 13:04:14 MST 2012


This is a good document (lots of information), but unfortunately doesn't 
completely answer my question and raises a few more.

For Full disclosure: I'm using Kerio Mail server authenticating to Samba 
4 via Kerberos.  For the most part this has been working well.  However 
when a user types their password wrong in Thunderbird (mail client), I 
can see entries in Kerio's log that says invalid password.  After some 
number of these (haven't quite figured out since Thunderbird seems to 
send a bad password 3 times in a row before notifying the user), if the 
user then types the correct password, I see "Attempt to IMAP login to 
locked account <username>"

At this point, if I go to the Windows "Active Directory Users and 
Computers" tool and go into the user's properties and select "Unlock 
account" and then apply, it seems to resolve itself eventually (albeit 
not immediately - another concern).

The document you linked to says:
You can configure the account lockout policy settings in the following 
location within the Group Policy Object Editor:
     Computer Configuration\Windows Settings\Account Policies\Account 
Lockout Policy

Unfortunately there's no "Account Policies" listed under Windows 
Settings in my Group Policy Management Editor (v, MMC 3.0, v6.1)

For the Default Domain Policy, under Computer Configuration, I'm seeing 
"Policies" and "Preferences" as my options (not even mentioned in this 
article).  If I click Policies (seems right), I see Windows Settings, 
but there's no "Account Policies" listed under it.

So, a few more questions - is there a way to see and/or set this from 
the command line?  Samba-tool?

Also, while Kerio is saying that the account is locked, since the unlock 
doesn't immediately do anything (takes a few minutes - haven't been able 
to nail it down), is there a way that I can truly verify that it's 
locked.  I tried using ADSI Edit (In Windows) to look at the user and I 
don't see any parameter that would indicate that the account is locked.


Stumped.  Any advice?


On 12/12/2012 12:09 PM, Ricky Nance wrote:
> I think you are looking for this... 
> <>
> Ricky
> On Wed, Dec 12, 2012 at 9:49 AM, Brian C. Huffman 
> <bhuffman at <mailto:bhuffman at>> 
> wrote:
>     I've noticed that Samba4 by default locks the user account after
>     "x" number of failed logins.
>     How can that be changed?  It would be good to know if it can be
>     turned off completely (although I rather like the concept) and
>     also how to change the number "x" of failed logins required to lock.
>     I imagine it could be done in the Group Policy editor but I can't
>     seem to find the option.  I'm using the tools for Windows 7.
>     I'd certainly be comfortable with command-line options as well.
>     Thanks,
>     Brian

More information about the samba-technical mailing list