Comments on: Active Directory: Account Lockout Policy – Think Twice Before Applying

By: How to Limit the Number of Failed Login Attempts - Lapodz

How to Limit the Number of Failed Login Attempts - Lapodz — Thu, 29 Apr 2021 05:40:59 +0000

[…] Account lockout policy settings in detail […]

By: Active Directory Login Attempts

Active Directory Login Attempts — Tue, 14 Jul 2020 23:30:58 +0000

[…] Active Directory: Account Lockout Policy – Raving Roo […]

By: GayleGG

GayleGG — Sun, 15 Apr 2018 16:08:00 +0000

The only possible use we would have for a lock-out policy… is 1 that Windows has never supported:
1. Allow an infinite number of guesses.
2. After EACH wrong guess… lock the user out for 3 seconds.

it would be pointless for hackers to waste YEARS trying to guess 1 password.
Valid users would never notice a problem… if they enter a wrong password… by the time they typed in another one…
it would be ok to do so. They would never notice any “lock out” ever.

Or DOES Windows support that? Perhaps via a direct RegEdit? Does anyone know the 3 password values that
would be needed?

By: Paul Warner

Paul Warner — Tue, 30 Jan 2018 00:38:00 +0000

It’s solved in OpenLDAP!
http://www.zytrax.com/books/ldap/ch6/ppolicy.html

By: trxr

trxr — Fri, 01 Sep 2017 09:41:00 +0000

Frankly, it seems more about “think twice before letting iPhone access Exchange directly” if it behaves so badly.
For true service accounts, set them to non-expire, have a rigorous password rotation policy (yeah, we only do ours once a year, which we need to improve) and least-privilege access. Consider MSAs and GMSAs for services that support them.
For administrators who leave sessions open and then change their passwords, give them a smack and tell them to grow up and learn to manage systems properly.
For end-users (and practically-speaking, administrators as well), implement a group policy that logs off sessions more than X days in duration (we use three – if you’re an administrator who’s running something under your own credentials for more than three days on the trot, you have other problems).
For the iPhone users (and everyone else, maybe), if you can’t solve the problem at the source, send out emails warning of password expiries 5 days in advance, with a little blurb on the potential problems if you’re an iPhone user.
I’ve worked in AD environments for, ooh, 17 years, and I have never had dire problems with account lockout policies (then again, we don’t have iphones directly connected to Exchange). Typically lockout counter of 15 minutes, <=10 attempts, unlocks after 30 mins. For this suggested 1 x 50 scenario (excellent, plenty of goes for that brute force attack to run through the common Password1-type dictionary entries), it can mask the issue if some stashed credential only wakes up at relatively long intervals, and I think it complicates the troubleshooting.

By: Secrets of Active Directory Lockouts: How to Find Apps with Stale Credentials

Secrets of Active Directory Lockouts: How to Find Apps with Stale Credentials — Thu, 11 Aug 2016 21:41:48 +0000

[…] The “account lockout threshold” setting should be shifted to a much higher number than three—perhaps 20 or 30—so that you, or more to the point, a hacker really has to be hammering at the account to trigger a lockout. “account lockout duration”, the time to wait before the account is automatically unlocked, set to a more sensible ten minutes (instead of, say, 12 hours), and different from the default of zero, which is a permanent lockout. And finally, the tricky “reset account lockout policy after” defaut set to one minute. You can read more about this approach here. […]

By: David K. Sutton

David K. Sutton — Fri, 26 Dec 2014 17:01:00 +0000

In reply to Abc123. If you set the Duration to 0, the account will remain locked until unlocked by an admin.

By: Abc123

Abc123 — Fri, 26 Dec 2014 09:09:00 +0000

I have question with this setting.

It is always recommended that the Account Lockout Duration be greater than the Reset account lockout counter but what happens if the reset account lockout counter is greater than the account lockout duration?

Like for example

Account Lockout Duration 0
Account Lockout Threshold 15
Reset Account Lockout after 30 minutes.

Many Thanks!

By: David K. Sutton

David K. Sutton — Wed, 01 Oct 2014 20:27:00 +0000

In reply to Michael McNally.

The PSO lockout settings are the same with the exception that the “Reset account lockout counter after” setting is called “LockoutObservationWindow” in the PSO object, but it performs the same function.

As for setting up PSO objects, it’s on my todo list to create a blog post on that.

By: Michael McNally

Michael McNally — Wed, 01 Oct 2014 18:42:00 +0000

In reply to David K. Sutton. I'd be interested in seeing how to set this up using Fine-Grained password policies. The standard Account lockout settings (the ones you specify in the article) are located under the Computer Settings tree of the GPO. I actually tried setting this up, moved a user to the new OU, and looked at the resultant set of policy report before the light bulb went off in my head.