Account lockout, aka Intruder Detection, is a feature of password security in Windows 2000 and later that disables a user account when a certain number of failed logons occur due to wrong passwords within a certain interval of time. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password--too many bad guess and you're locked out.

To configure account lockout in a AD domain environment you typically use the Default Domain Policy, a Group Policy Object (GPO) linked to the domain. The relevant Group Policy settings are found under:

Computer Configuration
     Windows Settings
          Security Settings
               Account Policies
                    Account Lockout Policy

Three policy settings#

The three policy settings are:
  • Account lockout duration - How long (in minutes) a locked-out account remains locked-out (range is 1 to 99,999 minutes).
  • Account lockout threshold - How many failed logons it will take until the account becomes locked-out (range is 1 to 999 logon attempts).
  • Reset account lockout counter after - How long (in minutes) it takes after a failed logon attempt before the counter tracking failed logons is reset to zero (range is 1 to 99,999 minutes).

A few special cases#

A few special cases are:

Some Issues to watch Out For#

While some of these examples seem somewhat contrived since they assume an attacker has physical access to the network, it turns out account lockout is much more than just typing wrong passwords into the Log On to Windows dialog box.

Other ways accounts can get locked out include:

  • Applications using cached credentials that are stale.
  • Stale service account passwords cached by the Service Control Manager (SCM).
  • Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
  • Scheduled tasks and persistent drive mappings that have stale credentials.
  • Disconnected Terminal Service sessions that use stale credentials.
  • Failure of Active Directory replication between domain controllers.
  • Users logging into two or more computers at once and changing their password on one of them.
Any one of the above situations can trigger an account lockout condition, and the results can include applications behaving unpredictably and services inexplicably failing.

Active Directory Account Lockout can only triggered by the system itself - please don't mix this up with the normal disable/enable operation for user accounts. You can search in the directory for locked accounts.

Unlock from Active Directory Account Lockout#

The easiest unlock method is based on the lockouttime attribute and works for all Active Directory versions since Windows 2000 The attribute lockouttime holds the date and time of the account lock event.

The only values that may be set on the lockouttime attribute is the value to "0" which will effectively un-lock the account.

Active Directory Locked Accounts#

How to manage Active Directory Locked Accounts.

What should you do? #

From the security perspective, eMicrosoft seems to be of two minds concerning whether to implement account lockout. On the one hand, on page 3 of their white paper called Account Lockout Best Practices, they recommend the following:

"Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords."

They then go on to recommend the following account lockout policies for low, medium and high security environments:

Low Security#

  • Account lockout duration = Not Defined
  • Account lockout threshold = 0 (no lockout)
  • Reset account lockout counter after = Not Defined

Medium Security#

  • Account lockout duration = 30 minutes
  • Account lockout threshold = 10 invalid logon attempts
  • Reset account lockout counter after = 30 minutes

High Security#

  • Account lockout duration = 0 (an administrator must unlock the account)
  • Account lockout threshold = 10 invalid logon attempts
  • Reset account lockout counter after = 30 minutes

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-18) was last changed on 26-Aug-2016 19:05 by jim