Account Lockout Policy determines what happens when a user enters a wrong password. It ensures that an attacker can’t use a brute force attack or dictionary attack to guess and crack the user’s password. To edit the Account Lockout Policy settings, do the following:
The three settings available under the Account Lockout Policy:
This security setting determines the number of minutes a locked-out account remains locked-out before it gets automatically unlocked. The value can be set between 0 minutes and 99,999 minutes. This setting needs the Account Lockout Threshold setting to be defined.
If the value is set to 0, then the account will not be unlocked automatically. The administrator has to unlock the account explicitly. By default, this setting is disabled. To unlock the account:
This security setting determines the number of failed logon attempts that is allowed before a user account is locked-out.
For example, if an attacker enters a wrong password for the first time, the badPwdCount attribute of the user object is set to 1. When the attacker continues to enter wrong passwords, the badPwdCount is incremented by 1 until it reaches the account lockout threshold value at which time the account gets locked. A locked out account cannot be used to log on until the account lockout duration expires or an administrator explicitly unlocks the account.
The value can be set between 0 and 999. If the value is set to 0, then the account will never get locked-out. The default value is 0.
This security setting determines the number of minutes that should elapse, after a failed logon attempt, for the failed logon counter to be set as 0. The value can be set between 1 and 99,999 minutes. This setting needs the Account Lockout Threshold setting to be defined.
If the Account Lockout Threshold is defined, then the Reset Account Lock-out Counter After value must be less than or equal to the Lockout Threshold duration.