Account Lockout Policy in Active Directory:
The Account Lockout Policy in Active Directory is an important security setting. You must have come across the situation that your Active Directory user account get locked many times if the number of invalid password attempts reaches the maximum count (Account lockout threshold) and if you have tried to login in that time you won’t be allowed to login up to certain time period (Account lockout duration) or until your account get unlocked manually by your system administrator.
The Account Lockout Policy
- Account lockout duration
Account lockout threshold
Reset account lockout counter after
Account Lockout Policy Settings:
We can create a new GPO for Account lockout duration, Open Domain Group Policy:
Right click on the domain OU and choose to create and link new GPO:
Create a new GPO for Account Lockout Policy:
The Account Lockout Policy under computer configuration then windows setting, under security setting:
Account lockout duration:
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Configure the account lockout duration:
We can accept the suggested value from the policy
Account lockout threshold:
This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.
Configure the account lockout threshold:
Reset account lockout counter after:
This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Configure the reset account lockout counter after:
Run the group policy command to refresh the group policy: gpupdate /force
The group policy update successfully
Example Account Lockout Policy Scenario
- Account lockout duration: 5 minutes
- Account lockout threshold: 50 invalid logon attempts
- Reset account lockout counter after: 1 minute