Account Password Lockout Notes

Mindwatering Incorporated

Author: Tripp W Black

Created: 06/07/2009 at 01:58 PM

 

Category:
Microsoft Server
Other/Misc.

Update Policy rules via the domain's Default policy.

In the Group Policy Management Editor -->
Configuration --> Windows Settings --> Account Policies --> Account Lockout Policy.
Double click the Account lockout threshold entry in the right pane and put a check in the Define this policy setting checkbox.
Enter a value as the threshold. (e.g. 5 or 10). Click OK.
Note: When you click OK, the Account lockout duration and the Reset account lockout counter settings will be set. You can now change them from their defaults.

Account lockout duration
Specifies the number of minutes a locked out account will remain unavailable before a user can attempt to log back in.

Account lockout threshold 
This setting determines the number of failed logon attempts before a lockout occurs.

Reset account lockout counter after
This is the length of time before the Account lockout threshold setting resets to zero.

In the Group Policy Management Console -->
Forest: mydomain.org --> Domains --> mydomain.org --> Default Domain Policy.
Right-click and choose Edit.

Want to create different policies?
Link to MS Password and Account Lockout Policy Guide:
http://technet.microsoft.com/en-us/library/cc770842.aspx

Link to MS whitepaper on account lockout best practices:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

There is a bug in 2003 where a domain lockout would still allow OWA access. I don't know if this was ever fixed.

previous page

×