Shavlik: Get GPO Account Lockout Settings

Version 5

    Author: Shavlik

    Category: Information

    Inputs: None

    Minimum ITScripts engine version required:

    Modifies the target machine: No

    Name: Get GPO Account Lockout Settings

    Outputs: GPO account lockout settings are written to a CSV file

    Purpose: This script queries the target machine(s) for GPO-based account lockout settings.

    Script Version:

    Target Type: Any


    Technical Description:

    The script will output the following information:

    - Machine Name

    - Setting name: Possible values are:

    • Account lockout duration (Time in minutes - If 0 requires the admin to unlock the account)

    • Account lockout threshhold (Number of invalid attempts)

    • Reset account lockout counter after (Time)

    - Setting Value: Shows the setting and the units. For special cases (for example, if duration is set to 0) the script will provide an explanation of the setting.


    The script will provide descriptive errors if it fails to connect to a machine or fails to get account lockout settings.


    Note: To manually monitor a target machine, open Microsoft Management Console (MMC) and go to: local computer policywindows setttingssecurity settingsaccount policies.


    Possible Operations Monitor results include:

    "WMI connection to the target machine failed. Access is denied."

    "WMI connection to the target machine failed. The machine may be offline or firewalled."

    "Unable to get GPO lockout settings from a computer in a workgroup"