WinSecWiki > Security Settings > Account Policies > Lockout Policy Show Account lockout is a useful method for slowing down online password-guessing attacks as well as to compensate for weak password policies. These three policies work together to limit the number of consecutive, within a period of time, logon attempts that fail due to a bad password. To strengthen account lockout policy, increase Account lockout duration, decrease Account lockout threshold and increase Reset account lockout counter after. Making these policies too strict though can lead to premature account lockouts and increased helpdesk support calls. Policy ScopeAll of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level. Also see the article "Fine Grained Password and Lockout Policy". Policies
Example policiesThe following policy is too weak; it would only trigger lockouts for very brazen password guessing attacks.
The following policy will limit an attacker to 10 consecutive logon attempts during any 24 hour period and require an administrator to unlock the account:
TroubleshootingAdministrators frequently struggle with repeated unexplained and seemingly spontaneous account lockouts for a given user account. This is frequently due to a workstation where a user account remains logged on after that account’s password been changed elsewhere. But there are many other possible reasons including stored credentials, programs that cache credentials, scheduled tasks, services, persistent track mappings, Active Directory replication problems and disconnected Terminal Services sessions. Microsoft has produced a number of resources to help diagnose this problem.
Remember that, for domain accounts, Active Directory enforces just one account lockout policy for all domain user accounts in the entire domain. This policy is defined in the Default Domain Policy GPO linked to the root of the command. See upper level for more information. Child articles:
Back to top https://workbench.cisecurity.org/files/3476 What is an account lockout policy?The account lockout policy “locks” the user's account after a defined number of failed password attempts. The account lockout prevents the user from logging onto the network for a period of time even if the correct password is entered.
How many attempts is the account lockout threshold?A locked account can't be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0.
Where is account lockout policy?The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
What is Reset account lockout Counter After?"The Reset account lockout counter after": The number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.
|