The 'Account Lockout Duration' displays as -1 in the reports when the value is set to 0 in GPEdit (NETIQKB44964)

  • 7744964
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

fact
NetIQ Group Policy Administrator 4.5

symptom
The 'Account Lockout Duration' displays as -1 in the reports when the value is set to  0 in GPEdit

symptom
Group Policy Administrator (GPA) reports displays the value for the Account Lockout Duration as -1 when the value is set to 0 in the Default domain policy

cause
NetIQ GPA is showing the actual value of this setting that is held in the Sysvol.

fix

The value for 'Account Lockout Duration' is stored in the Sysvol (C:\WINDOWS\SYSVOL\sysvol\domain_name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit) in the GptTmpl.inf file.  When this value is set to 0 in GPEdit, this file gets the value of -1.  Group Policy Administrator (GPA) 4.5 is showing the value as held in the Sysvol.   When GPEdit and GPMC displays the value, it translates the -1 to be a 0 when displayed. 

This issue is resolved in Group Policy Administrator 4.6 and later.



note

To reproduce:

  1. Edit Default Domain Policy
  2. Expand Computer configuration | Windows Settings | Security Settings | Account Policies
  3. Highlight Account Lockout Policy
  4. Modify the Account Lockout Duration and set it to 0
  5. Open GPA report for the Default Domain Policy in GPA and notice it shows as -1


Additional Information

Formerly known as NETIQKB44964