How to Configure Account Lockout Policy in Active Directory?

1.5K

In a networked environment, security is of paramount importance. Implementing an effective account lockout policy in Active Directory is crucial to ensuring security.

Account lockout policy helps prevent unauthorized access and brute force attacks on user accounts by automatically locking them after a certain number of failed login attempts.

In this blog post, we will explore how to configure the account lockout policy in Active Directory using various methods and how to find and unlock locked-out user accounts.

What is the Account Lockout Policy in Active Directory?

The Account Lockout Policy in Active Directory is a security feature that defines the conditions under which user accounts are automatically locked out due to multiple failed login attempts. By default, account lockout is not enabled in Active Directory, and it’s crucial to configure it properly to enhance the security of your network.

When an account is locked-out due to multiple failed logins, the user will see the following screen on the next login attempt. Depending on the account lockout policy settings, the user must contact the administrator to manually unlock the account or wait a specified number of minutes to unlock automatically.

You can implement account lockout policies in two ways: through Group Policy Object (GPO) and Password Settings Object (PSO).

Configure Account Lockout Policy via Group Policy Object (GPO)

Configuring the account lockout policy through Group Policy Objects (GPO) is an old-school but effective method. GPOs manage settings for groups of users or computers, allowing administrators to enforce policies consistently across the entire domain.

Note. Bear in mind that there can only be one account lockout policy in the domain deployed via GPO.

You can set the default account lockout policy using the Group Policy Editor and PowerShell.

Using the Group Policy Editor

Here’s how to configure the account lockout policy using the Group Policy Editor:

1. Open the Group Policy Management Console (GPMC) on your domain controller by running this command:

   gpmc.msc

2. Expand the domain, right-click on Default Domain Policy, and click Edit.
   
3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
   
4. Modify the following account lockout policy settings.
   • Account lockout threshold: This setting defines the number of failed login attempts allowed before the account gets locked out. For instance, if the threshold is set to 3, the account will be locked out after 3 consecutive failed login attempts.
   • Reset account lockout counter after: This option determines how long (in minutes) the bad logon counter resets to 0. The accepted range is 1 to 99,999 minutes.
   • For example, suppose the value is 3 (minutes). In that case, the consecutive failed login attempts within 3 minutes will increment the bad login counter and eventually lock out the account once the Account lockout threshold is reached.
   • Account lockout duration: This option specifies the length of time (in minutes) the account remains locked out after reaching the lockout threshold. The account will be automatically unlocked after this duration.
   • The accepted range is 0 to 99,999 minutes. If the value is 0 minutes, the account remains locked until an administrator unlocks it.
   • Allow Administrator account lockout: This setting determines whether the built-in Administrator account can be subject to the account lockout policy defined for other user accounts. By default, the built-in Administrator account in Active Directory is exempted from account lockout policies to ensure that administrators can always access the system even if there are multiple failed login attempts.
     In this example, we’ll configure the account lockout policy with these settings:
     • Account lockout threshold: 3 (failed login attempts)
     • Reset account lockout counter after: 99999 (minutes)
     • Account lockout duration: 0 (minutes, remains locked until unlocked by an administrator)
     • Allow Administrator account lockout: Not defined (no changes, default is disabled)
       
5. Close the Group Policy Editor and Group Policy Management windows.

Using PowerShell

You can also configure the account lockout policy using the Get-ADDefaultDomainPasswordPolicy PowerShell cmdlet. This cmdlet is included in the ActiveDirectory module installed by default on domain controllers. This command is also available on computers with the Remote Server Administration Tool (RSAT) installed.

1. Open PowerShell as an administrator on a domain controller.
2. Display the current default account lockout policy by running this command. Replace <DOMAIN> with your domain name.

   Get-ADDefaultDomainPasswordPolicy ` 
   
   -Identity <DOMAIN> | ` 
   
   Format-List DistinguishedName, LockoutThreshold, ` 
   
   LockoutDuration, LockoutObservationWindow

   The properties are explained below.

   • LockoutThreshold: This property corresponds to the “Account lockout threshold“ in the Group Policy Editor. The value defines the number of failed login attempts before the account is locked out.
   • LockoutDuration: This property corresponds to the “Account lockout duration“ in the Group Policy Editor. The value defines how long (in minutes) the account will be automatically unlocked. The accepted values are from 0 to 99999. If the value is 0, the account remains locked until an administrator unlocks it.
   • LockoutObservationWindow: This property corresponds to the “Reset account lockout counter after“ in the Group Policy Editor. This option specifies how long (in minutes) the bad logon counter resets to 0. The accepted range is 1 to 99,999 minutes.
     
3. Suppose you want to change the account lockout policy to 5 wrong attempts, reset the bad login count after 25 minutes, and automatically unlock after 20 days. Here’s the command. Replace <DOMAIN> with your domain name.

   Set-ADDefaultDomainPasswordPolicy ` 
   
   -Identity <DOMAIN> ` 
   
   -LockoutThreshold 5 ` 
   
   -LockoutDuration ([System.TimeSpan]::FromDays(20)) ` 
   
   -LockoutObservationWindow ([System.TimeSpan]::FromMinutes(25))

   

4. Display the new account lockout policy and confirm your values are as you intended. Replace <DOMAIN> with your domain name.

   Get-ADDefaultDomainPasswordPolicy ` 
   
   -Identity <DOMAIN> | ` 
   
   Format-List DistinguishedName, LockoutThreshold, ` 
   
   LockoutDuration, LockoutObservationWindow

   

Note. You can check our article on adding a UPN suffix in Active Directory or configuring the Account Lockout GPO settings in the Active Directory domain.

Will the Account Lockout Policy Change Apply Immediately?

After configuring the account lockout policy through GPO won’t apply immediately to all user accounts and computers. By default, GPO settings are updated on client computers every 90 minutes and on domain controllers every five minutes.

But you can force a group policy update on computers locally. On a client computer, open Command Prompt and run the command: gpupdate /force

Configure Account Lockout Policy using Password Setting Object (PSO)

For more granular control over the account lockout policy, you can use Password Setting Objects (PSO). PSOs allow you to define different account lockout policies for specific users or groups within a domain. This method is possible through the Fine Grained Password Policy introduced in Windows Server 2008.

This method is beneficial when different organizational units (OU) or departments require different security policies. We will explore two methods to configure the account lockout policy using PSOs:

Using the Active Directory Administration Center

Open the Active Directory Administration Center on your domain controller.

Navigate to Domain → System → Password Settings Container.

Under the Tasks pane, click New → Password Settings.

1. Enter the Password Settings Name. For example, “Account Lockout Policy – CA Finance” for the California Finance department.
2. In the Precedence, type a number representing the precedence of this password setting, where 1 has the highest precedence.
3. Uncheck every box except Enforce account lockout policy.
4. Enter the number of failed login attempts. In this example, since the Finance department handles sensitive information, we can be strict and allow only 2 failed login attempts.
5. Enter the number of minutes to Reset failed logon attempts count. In this example, let’s set it to 14400 minutes (10 days).
6. In the “Account will be locked out” section, select “Until an administrator manually unlocks the account” or “For a duration of (mins),” based on your preference.
   
7. Add the user(s) or group(s) to apply this password setting.
8. Click OK to save the password setting object.
   

You can create more Password Settings Objects to apply to other users or groups.

Using PowerShell

In this example, let’s create a PSO using PowerShell with the following settings:

• Name: “Account Lockout Policy – CA Sales”
• Apply to: “CA Sales” group
• Precedence: 2
• Lockout Threshold: 5 (failed login attempts)
• Lockout Duration: 1440 minutes (automatically unlock the account after 1 day)
• Lockout Observation Window: 60 minutes (reset the bad login count after 1 hour)

Follow these steps to create the account lockout policy PSO in PowerShell.

1. Run the below command to create the password settings object.

   $pso = @{ 
   
   Name = 'Account Lockout Policy - CA Sales' 
   
   Precedence = 2 
   
   LockoutThreshold = 5 
   
   LockoutDuration = ([System.TimeSpan]::FromMinutes(1440)) 
   
   LockoutObservationWindow = ([System.TimeSpan]::FromMinutes(60)) 
   
   } 
   
   New-ADFineGrainedPasswordPolicy @pso

   

2. Next, assign the PSO to the target Active Directory group(s) or user(s).

   $psoTarget = @{ 
   
   Identity = 'Account Lockout Policy - CA Sales' 
   
   Subjects = 'CA Sales' 
   
   } 
   
   Add-ADFineGrainedPasswordPolicySubject @psoTarget

   

3. List the Fine-Grained Password Policies that you created.

   Get-ADFineGrainedPasswordPolicy -Filter * | 
   
   Format-List Name, Precedence, LockoutThreshold, LockoutObservationWindow, LockoutDuration, AppliesTo

   You’ve successfully created the PSO using PowerShell.
   

Configuring account lockout policy through PSOs provides flexibility and targeted control over security settings.

Finding the Account Lockout Source

In some cases, a user account may get locked out repeatedly, causing inconvenience to the user and additional workload for the IT team. To resolve this issue, finding the source of the account lockout is essential. We can achieve this by checking the event logs on domain controllers.

Note. See the article at the link for more information about finding the source of user lockouts in Active Directory.

Using the Event Viewer

1. Open the Event Viewer on the domain controller holding the PDC Emulator role.
2. Look for events with Event ID 4740 in the Security event logs, which indicates an account lockout.
3. Analyze the event details to identify the source computer from which the account lockout originated. As you can see below, the event log entry shows where the account lockout originated.
   One possible reason is there could be an application running on the source computer using the cached old password.

Using PowerShell

To query event ID 4740 using PowerShell, you can use the Get-WinEvent cmdlet to access the Windows Event Log and filter for the specific event ID you are interested in. Event ID 4740 represents a user account being locked out on a Windows system.

Here’s the PowerShell command to query event ID 4740. Replace the $username value with the locked-out user’s username. In this example, we’re querying the lockout events for the mclark user account. The results will be stored in the $accountLockout variable.

$username = 'mclark' 
$accountLockout = Get-WinEvent -FilterHashtable @{ 
LogName = 'Security'; 
ID = 4740 
} | Where-Object { $_.Message -like "*$username*" } | ` 
Select-Object TimeCreated, Message

Next, display the results.

$accountLockout | Format-List

Finding and Unlocking a Locked-Out User using PowerShell

Sometimes, due to forgetfulness or other reasons, users may repeatedly enter incorrect passwords, leading to account lockout.

Related. How to Unlock User Account in Active Directory Domain?

Using the ADUC to Unlock a User Account

If a user reported an account lockout, you can find the account in the Active Directory Users and Computers console.

Open the user’s properties, and click the Account tab. Here, you can confirm that the account is currently locked out. Check the “Unlock account” box, and click OK.

While optional, the typical practice when unlocking accounts is resetting the password and enabling the “User must change password at next logon” option. This way, the user gets a temporary password and is forced to change it immediately.

Unlock a User Account using PowerShell

To unlock a user account in PowerShell, the Unlock-ADAccount cmdlet is what you must run. For example, the below command unlocks the mclark user account. This command resets the Account lockout threshold counter to 0.

Unlock-ADAccount -Identity mclark

This command returns no result if the operation is successful. It

Search and Unlock All Locked Out User Accounts using PowerShell

What if you need to unlock all locked-out accounts? That’s no problem with the Search-ADAccount –Lockedout command combined with the Unlock-ADAccount.

For example, let’s run this command and store the results in the $lockedOutUsers variable.

$lockedOutUsers = Search-ADAccount -LockedOut -UsersOnly -ResultSetSize $null | Select-Object Name, SamAccountName, ObjectClass

This PowerShell command is used to search for Active Directory (AD) user accounts currently locked out and retrieve specific properties for those accounts. Let’s break it down step by step:

• Search-ADAccount: The cmdlet used to search for user accounts in Active Directory based on specified criteria. In this case, the cmdlet searches for locked-out user accounts.
• LockedOut: This parameter filters the search results only to include accounts currently locked out.
• UsersOnly: This parameter restricts the search to user accounts only, excluding other types of AD objects like computer accounts.
• ResultSetSize $null: This parameter specifies the maximum number of results to return. Setting it to $null means that all matching results will be retrieved without any limitations on the result set size.

As you can see, this environment has two locked-out user accounts.

How do we unlock them in one sweep? In this instance, we’ll process each user through a loop, such as the ForEach-Object loop.

$lockedOutUsers | ForEach-Object { 
Unlock-ADAccount -Identity $_.SamAccountName -Verbose 
}

And that’s it! You sit back and wait for the script to finish unlocking all locked-out user accounts.

Alternatively, you can run this one-liner, which achieves the same results.

Search-ADAccount -LockedOut -UsersOnly -ResultSetSize $null | Unlock-ADAccount

Conclusion

Configuring the account lockout policy in Active Directory is crucial in enhancing network security. Whether through GPOs or PSOs, setting appropriate lockout options will help protect user accounts from unauthorized access and potential security breaches.

Additionally, promptly identifying the source of account lockouts and unlocking affected user accounts will ensure a smoother user experience and improved IT management.

By following the guidelines and best practices outlined in this blog post, you can bolster the security of your Active Directory environment and better safeguard your organization’s sensitive information.