The account lockout policy in the Active Directory domain allows you to automatically lock user account if an attempt has been made to brute-force a user password. An AD domain admin can configure account locking policies using Group Policy (GPO).
By default, you can create only one password and lockout policy in AD domain. Run the Group Policy Management console (gpmc.msc), expand your domain, and find the GPO called Default Domain Policy. Right-click on object and select Edit.
In the Group Policy Editor, go to the section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
Three account lockout policy options are available:
- Reset account lockout counter after – this parameter sets the time after which the counter of failed authorization attempts is reset (in minutes from 1 to 99999). We use a value 10 minutes here;
- Account lockout threshold – the number of incorrect password attempts, after which the Windows account will be blocked (from 0 to 999). If you set this value to 0, then the account will never be locked. We use the value: 10 invalid logon attempts;
- Account lockout duration – Active Directory user account lockout time (from 0 to 99999 minutes). If you specify 0, then the account will be locked until the administrator manually unlocks it from the Active Directory Users and Computers console or using the Unlock-ADAccount cmdlet.
After making changes to the Default Domain Policy, you need to wait up to 2 hours to apply the policy on the domain, or you can update the policy on the DCs manually with the gpupdate command.
After locking the account in AD, the user will see a following message on the computer when entering the correct password:
The referenced account is currently locked out and may not be logged on to.
If you open the ADUC snap-in (dsa.msc), find the user account, then on the Account tab you will see the caption:
Unlock account. This account is currently locked out on this Active Directory Domain Controller.
In Windows Server 2008 and newer, you can create an additional password and lockout policies for individual accounts or groups. This technology is called Fine Grained Password Policy. This feature removes the limitation of previous versions of Windows, because before it was possible to configure only one password policy in each domain.
These FGGP policies are configured in the Active Directory Administration Center using the special password setting objects in the container System > Password Settings Container.
You can create a PSO and assign a different lockout policy to a specific group of users from PowerShell:
New-ADFineGrainedPasswordPolicy -Name “Sales_PSO” -Precedence 2 -Description “Account Lockout policy for Sales dept” -DisplayName “Sales_PSO“ - LockoutDuration "8:00" -LockoutObservationWindow "8:00" - LockoutThreshold 20
After that, you can assign a policy to a security group:
Add-ADFineGrainedPasswordPolicySubject -Identity "Sales_PSO" -Subjects "Sales Dept"
To verify which password policy is applied to the user, use the following command dsquery and dsget on the domain controller:
dsquery user -samid username | dsget user -effectivepso