Account Lockout Policy In Windows Server GPO

Spread The Knowledge

The one thing which makes Windows a very cool operating system for servers is Active Directory. Active Directory is a very powerful tool with the help of which we can manage tens of thousands of users in no time. Active Directory has a very cool component called Group Policy Management. commonly called as GPO. GPO is used to make various types of security policies for users and computers to save them from external threats. Today we will talk about one of the very popular security policies of GPO called Account Lockout GPO.

account lockout policy
Account Lockout Policy GPO

Path To Account Lockout Policy

Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Account Lockout Policy

Components Of Account Lockout Policy

Below are the policies which we can configure under Account Lockout Policy:

  1. Account Lockout Duration
  2. Account Lockout Threshold
  3. Reset Account Lockout Counter After

Lets dig out in more detail:

1. Account Lockout Duration:

This is the time in minutes after which a user can try to login again after being locked out. By default, it is set to 30 minutes. This means if user account is locked out, it will be again unlocked after 30 minutes automatically. On the other hand, if this value is set to 0, then only Administrator can unlock the account.

2. Account Lockout Threshold:

This policy specifies the number of the wrong password attempts a user can make before his/her AD account locked out. For example, if it is set to three, then after three wrong password attempts, the account will be locked out and you will never be able to log in again unless you get it unlocked from the helpdesk.

3. Reset Account Lockout Counter After:

The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. For example, if it is set to 30 minutes and you entered a wrong password first time, then the value of the Reset Account Lockout Counter will be set to 1. After 30 minutes this counter will be again reset to 0.

Reference: Microsoft


Password Policy In Windows Server GPO.

Spread The Knowledge

Leave a Comment