Change Account Lockout Policy

How to Change Account Lockout Policy in AD?


The account lockout policy in the Active Directory domain allows you to automatically lock user account if an attempt has been made to brute-force a user password. An AD domain admin can configure account locking policies using Group Policy (GPO).

By default, you can create only one password and lockout policy in AD domain. Run the Group Policy Management console (gpmc.msc), expand your domain, and find the GPO called Default Domain Policy. Right-click on object and select Edit.

account lockout policy

In the Group Policy Editor, go to the section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.

Three account lockout policy options are available:

  • Reset account lockout counter after – this parameter sets the time after which the counter of failed authorization attempts is reset (in minutes from 1 to 99999). We use a value 10 minutes here;
  • Account lockout threshold – the number of incorrect password attempts, after which the Windows account will be blocked (from 0 to 999). If you set this value to 0, then the account will never be locked. We use the value: 10 invalid logon attempts;
  • Account lockout duration – Active Directory user account lockout time (from 0 to 99999 minutes). If you specify 0, then the account will be locked until the administrator manually unlocks it from the Active Directory Users and Computers console or using the Unlock-ADAccount cmdlet.

account lockout duration

After making changes to the Default Domain Policy, you need to wait up to 2 hours to apply the policy on the domain, or you can update the policy on the DCs manually with the gpupdate command.

After locking the account in AD, the user will see a following message on the computer when entering the correct password:

The referenced account is currently locked out and may not be logged on to.

account lockout threshold

If you open the ADUC snap-in (dsa.msc), find the user account, then on the Account tab you will see the caption:

Unlock account. This account is currently locked out on this Active Directory Domain Controller.

reset account lockout counter after

In Windows Server 2008 and newer, you can create an additional password and lockout policies for individual accounts or groups. This technology is called Fine Grained Password Policy. This feature removes the limitation of previous versions of Windows, because before it was possible to configure only one password policy in each domain.

These FGGP policies are configured in the Active Directory Administration Center using the special password setting objects in the container System > Password Settings Container.

lockout policy

You can create a PSO and assign a different lockout policy to a specific group of users from PowerShell:

New-ADFineGrainedPasswordPolicy -Name “Sales_PSO” -Precedence 2 -Description “Account Lockout policy for Sales dept” -DisplayName “Sales_PSO“ – LockoutDuration “8:00” -LockoutObservationWindow “8:00” – LockoutThreshold 20

After that, you can assign a policy to a security group:

Add-ADFineGrainedPasswordPolicySubject -Identity "Sales_PSO" -Subjects "Sales Dept"

To verify which password policy is applied to the user, use the following command dsquery and dsget on the domain controller:

dsquery user -samid username | dsget user -effectivepso

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
Fix: Active Directory Domain Controller Could Not ... In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domai...

Add Your Comment