Resolution
fact
NetIQ Group Policy Administrator 4.5
symptom
The 'Account Lockout Duration' displays as -1 in the reports when the value is set to 0 in GPEdit
symptom
Group Policy Administrator (GPA) reports displays the value for the Account Lockout Duration as -1 when the value is set to 0 in the Default domain policy
cause
NetIQ GPA is showing the actual value of this setting that is held in the Sysvol.
fix
note
NetIQ Group Policy Administrator 4.5
symptom
The 'Account Lockout Duration' displays as -1 in the reports when the value is set to 0 in GPEdit
symptom
Group Policy Administrator (GPA) reports displays the value for the Account Lockout Duration as -1 when the value is set to 0 in the Default domain policy
cause
NetIQ GPA is showing the actual value of this setting that is held in the Sysvol.
fix
The value for 'Account Lockout Duration' is stored in the Sysvol (C:\WINDOWS\SYSVOL\sysvol\domain_name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit) in the GptTmpl.inf file. When this value is set to 0 in GPEdit, this file gets the value of -1. Group Policy Administrator (GPA) 4.5 is showing the value as held in the Sysvol. When GPEdit and GPMC displays the value, it translates the -1 to be a 0 when displayed.
This issue is resolved in Group Policy Administrator 4.6 and later.
note
To reproduce:
- Edit Default Domain Policy
- Expand Computer configuration | Windows Settings | Security Settings | Account Policies
- Highlight Account Lockout Policy
- Modify the Account Lockout Duration and set it to 0
- Open GPA report for the Default Domain Policy in GPA and notice it shows as -1
Additional Information
Formerly known as NETIQKB44964