The account lockout policy in the Active Directory domain allows you to automatically lock a user account if an attempt has been made to brute-force a user password. Active Directory domain controllers track user failed logon attempts and, if thresholds are exceeded, disable the user account for a specified period of time in response to a potential attack. This can significantly reduce the risk of brute forcing passwords of user accounts by various automated tools and malicious bots. In this article, we will show you how to configure and manage account lockout policies in the Active Directory domain.
An AD domain admin can configure account locking policies using Group Policy (GPO) and/or Password Setting Object (PSO).
By default, you can create only one password and lockout policy in the AD domain. Run the Group Policy Management console (gpmc.msc), expand your domain, and find the GPO called Default Domain Policy. Right-click on an object and select Edit.
In the Group Policy Editor, go to the section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
Three account lockout policy options are available:
- Reset account lockout counter after — this parameter sets the number of minutes after which the counter of failed authorization attempts is reset to 0 (in minutes from 1 to 99999). We use a value 10 minutes here. If you set this value too high, legitimate users will have to wait a long time before their account is automatically unlocked. You must balance this with the cost of maintaining your help desk for password reset calls.
- Account lockout threshold — the number of incorrect password attempts, after which the Windows account will be blocked (from 0 to 999). If you set this value to 0, then the account will never be locked. We use the value: 10 invalid logon attempts;
- Account lockout duration — Active Directory user account lockout time (from 0 to 99999 minutes). If you specify 0, then the account will be locked until the administrator manually unlocks it from the Active Directory Users and Computers console or using the Unlock-ADAccount cmdlet.
Hint. You can list the current default domain lockout policy setting using PowerShell:Get-ADDefaultDomainPasswordPolicy| select LockoutDuration, LockoutObservationWindow, LockoutThreshold
After making changes to the Default Domain Policy, you need to wait up to 2 hours to apply the new Group Policy settings to the domain controllers and computers, or you can update the policy on the DCs manually with the gpupdate command.
After locking the account in AD, the user will see the following message on the computer when entering the correct password:
The referenced account is currently locked out and may not be logged on to.
If you open the ADUC snap-in (dsa.msc), find the user account, then on the Account tab you will see the caption:
Unlock account. This account is currently locked out on this Active Directory Domain Controller.
When a user account is locked out, the event ID 4740 is logged in the Security Event Viewer log on a domain controller with the PDC Emulator role. You can filter events by the EventID to get the account’s lockout history in AD.
A domain administrator or account operator can manually unlock a user account. To do this, check the box highlighted in the screenshot and save the Active Directory user settings. This resets the Account lockout threshold counter to 0. Users can then sign in to their account without waiting for the time specified in Account lockout duration to pass.
You can also unlock an account with the following PowerShell command:
Unlock-ADAccount -Identity j.brion
Hint. To find all currently locked user accounts in a domain, run the command:Search-ADAccount –Lockedout|select Name, SamAccountName
Use the following pipeline to unlock all user accounts immediately:
Search-ADAccount –Lockedout| Unlock-ADAccount
In Windows Server 2008 and newer, you can create an additional password and lockout policies for individual accounts or groups. This technology is called Fine Grained Password Policy. This feature removes the limitation of previous versions of Windows, because before it was possible to configure only one password policy in each domain.
These FGGP policies are configured in the Active Directory Administration Center using the special password setting objects (PSO) in the container System > Password Settings Container.
You can create a PSO and assign a different lockout policy to a specific group of users with PowerShell:
New-ADFineGrainedPasswordPolicy -Name “Sales_PSO” -Precedence 2 -Description “Account Lockout policy for Sales dept” -DisplayName “Sales_PSO“ - LockoutDuration "8:00" -LockoutObservationWindow "8:00" - LockoutThreshold 20
After that, you can assign a policy to a security group:
Add-ADFineGrainedPasswordPolicySubject -Identity "Sales_PSO" -Subjects "Sales Dept"
If you are using a fine-grained password policy and have assigned a PSO to a domain user/group, note the password and lockout policy settings in FGGP always take precedence over the settings from the Default Domain Policy GPO.
To verify which password policy is applied to the user, use the following command dsquery and dsget on the domain controller:
dsquery user -samid username | dsget user -effectivepso
You can assign multiple lockout policies to a single user account in Active Directory. For example, some settings are managed by the Default Domain Policy, others from the PSO assigned to the user’s security group, and still others are assigned directly to the user. In this case, you can use the Get-ADUserResultantPasswordPolicy PowerShell cmdlet to get the resulting lockout policy settings in effect for the user:
Get-ADUserResultantPasswordPolicy -Identity username | select-object LockoutDuration, LockoutObservationWindow, LockoutThreshold