The 'Account Lockout Duration' displays as -1 in the reports when the value is set to 0 in GPEdit (NETIQKB44964)

  • 7744964
  • 02-Feb-2007
  • 08-Sep-2008


NetIQ Group Policy Administrator 4.5

The 'Account Lockout Duration' displays as -1 in the reports when the value is set to  0 in GPEdit

Group Policy Administrator (GPA) reports displays the value for the Account Lockout Duration as -1 when the value is set to 0 in the Default domain policy

NetIQ GPA is showing the actual value of this setting that is held in the Sysvol.


The value for 'Account Lockout Duration' is stored in the Sysvol (C:\WINDOWS\SYSVOL\sysvol\domain_name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit) in the GptTmpl.inf file.  When this value is set to 0 in GPEdit, this file gets the value of -1.  Group Policy Administrator (GPA) 4.5 is showing the value as held in the Sysvol.   When GPEdit and GPMC displays the value, it translates the -1 to be a 0 when displayed. 

This issue is resolved in Group Policy Administrator 4.6 and later.


To reproduce:

  1. Edit Default Domain Policy
  2. Expand Computer configuration | Windows Settings | Security Settings | Account Policies
  3. Highlight Account Lockout Policy
  4. Modify the Account Lockout Duration and set it to 0
  5. Open GPA report for the Default Domain Policy in GPA and notice it shows as -1

Additional Information

Formerly known as NETIQKB44964