Active Directory Account Lockout


Active Directory Account Lockout (aka Intruder Detection) is a feature of password security in Windows Server 2000 and later that provides Intruder Detection when a certain number of failed logons occur due to wrong passwords within a certain interval of time.

The purpose behind Active Directory Account Lockout is to prevent attackers from brute-Force attempts to guess a user's password--too many bad guess and you're locked out.

To configure Microsoft Account lockout in a Microsoft Active Directory environment you typically use the Default Domain Policy, a Group Policy Object (GPO) linked to the domain. The relevant Group Policy Object settings are found under:

Computer Configuration
     Windows Settings
          Security Settings
               Account Policies
                    Account Lockout Policy

In later versions of Microsoft Active Directory view the MsDS-PasswordSettings PSO.

Three policy settings#

The three policy settings are:

A few special cases#

A few special cases are:

Some Issues to watch Out For#

While some of these examples seem somewhat contrived since they assume an attacker has physical access to the network, it turns out account lockout is much more than just typing wrong passwords into the Log On to Windows dialog box.

Other ways accounts can get locked out include:

  • Applications using Cached and Stored Credentials that are stale.
  • Stale service account passwords cached by the Service Control Manager (SCM).
  • Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
  • Scheduled tasks and persistent drive mappings that have stale credentials.
  • Disconnected Terminal Service sessions that use stale credentials.
  • Failure of Active Directory replication between domain controllers.
  • Users logging into two or more computers at once and changing their password on one of them.
Any one of the above situations can trigger an Intruder Detection condition, and the results can include applications behaving unpredictably and services inexplicably failing.

Active Directory Account Lockout can only triggered by the system itself - please don't mix this up with the normal Administratively Disabled operation for user accounts. You can search in the directory for locked accounts.

Unlock from Active Directory Account Lockout#

The easiest unlock method is based on the lockouttime attribute and works for all Active Directory versions since Windows Server 2000 The attribute lockouttime holds the date and time of the account lock event.

The only values that may be set on the lockouttime attribute is the value to "0" which will effectively un-lock the account.

Active Directory Locked Accounts#

How to manage Active Directory Locked Accounts.

What should you do? #

From the security perspective, Microsoft seems to be of two minds concerning whether to implement account lockout. On the one hand, on page 3 of their white paper called Account Lockout Best Practices, they recommend the following:

"Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords."

They then go on to recommend the following account lockout policies for low, medium and high security environments:

Low Security#

  • Account lockout duration = Not Defined
  • Account lockout threshold = 0 (no lockout)
  • Reset account lockout counter after = Not Defined

Medium Security#

  • Account lockout duration = 30 minutes
  • Account lockout threshold = 10 invalid logon attempts
  • Reset account lockout counter after = 30 minutes

High Security#

  • Account lockout duration = 0 (an administrator must unlock the account)
  • Account lockout threshold = 10 invalid logon attempts
  • Reset account lockout counter after = 30 minutes

More Information#

There might be more information for this subject on one of the following: