How to Change Account Lockout Policy using Group Policy Objects in Active Directory

How to Change Account Lockout Policy using Group Policy Objects in Active Directory

Changing the Active Directory Account Lockout Policy 

Introduction to Active Directory Account Lockout Policy

Account lockout policies are used by IT administrators to lock out an Active Directory account after multiple unsuccessful attempts. It is assumed that these unsuccessful attempts might be due to a brute force attack and the account is disabled as a measure to prevent attackers from breaching the network. The account is disabled for a predetermined period of time if the number of unsuccessful attempts exceeds a certain value. While this might help to prevent unauthorized entry into the network, it also poses some difficulties to the administrators. Besides wrong password attempts and brute force attacks, there are several other reasons that contribute to a user getting locked out. Some of these causes include:
  1. Programs that cache credentials
  2. Password resets for service accounts
  3. Low threshold for bad passwords
  4. User logged on to multiple computers
  5. Scheduled tasks
  6. Persistent drive mappings
  7. Active Directory replication
Hence the account lockout policy must be set in such a way that it accommodates all these causes and reduces the work load of the administrators. These are discussed in the following sections.

Account Lockout Policy Settings in Active Directory

There are three basic account lockout policy settings in Active Directory. These can be configured by the administrator to suit the needs of the organization. They are account lockout duration, account lockout threshold, and reset account lockout counter after. These settings are discussed as follows.
 
Account Lockout Duration
The Account lockout duration policy setting is used to determine the time duration for which an account will remain locked out after a certain number of failed sign-in attempts, before getting unlocked automatically. It is defined in minutes and the available range of values is from 0 through 99,999. If the value is set to 0, then the account will be locked out until it is unlocked explicitly by the administrator.
 
The Account lockout threshold value specifies the number of failed sign-in attempts after which the account will be locked for the Account lockout duration. Hence the threshold value is usually used in combination with this setting. This increases the difficulty of automated password guessing attempts. For instance, if the lockout threshold is set to 3 and the lockout duration is set to 30, the user will be locked out for 30 minutes after 3 failed attempts. It is recommended to set the Account lockout duration to approximately 15 minutes.
 
Account Lockout Threshold
The Account lockout threshold policy setting is used to determine the number of failed logon or sign-in attempts after which the account will be locked out. The account remains locked for a period of time specified by the Account lockout duration, or until the account is reset. It is defined using the number of failed sign-in attempts and the available range of values is from 0 through 999. If the value is set to 0, then the account will never be locked out. The default value is set to 0.
 
Limiting the number of failed attempts helps control brute force attacks. However, this also poses the risk of the attacker potentially locking every account in an organization. Hence the organization should set a lockout threshold value depending on their risk level. A starting value of 10 is the recommended account lockout threshold value for most organizations.
 
Reset Account Lockout Counter After
The Reset Account Lockout Counter After policy setting is used to determine the time duration after which the failed logon counter is set to 0. In other words, it defines the number of minutes that elapse from the time the user fails to logon before the failed logon counter is set to 0. It is defined in minutes and the available range of values is from 1 through 99,999. This setting is also used in combination with the account lockout threshold. If the account lockout threshold is set to a value greater than zero, then this value must be set such that it is less than or equal to the account lockout duration.
 
Setting a high value locks out the users for a long period of time if the lockout threshold is exceeded. For instance, consider the Reset account lockout counter value is set to 5 minutes and the lockout threshold is set to 3 attempts. The counter begins after the first failed attempt. The account gets locked out if the user fails 3 times consecutively in 5 minutes. However if the number of failed attempts is less than 3, then the counter is reset to 0 and begins from the next failed login attempt.

Changing Account Lockout Policy in Active Directory using GPMC

The Account lockout policies can be configured and edited by an Active Directory Domain Administrator using Group Policy Objects (GPO). This can be done using the Group Policy Management Console (GPMC).

Installing the Group Policy Management Console (GPMC)
The Group Policy Management Console can be installed using the instructions given below.
  1. On Windows Server 2008 and 2008 R2
  2. Open the Start menu and navigate to Control Panel -->Programs and Features -->Turn Windows Features on or off.
  3. From the left pane of the Server Manager dialog box, select Features.
  4. Click on Add Features and select Group Policy Management.
  5. Click Install to complete the process.
  6. On Windows Server 2012 and higher versions
  7. Open the Start menu and navigate to Control Panel -->Programs and Features à Turn Windows Features on or off.
  8. From the left pane of the Add Roles and Features Wizard dialog box, select Group Policy Management from the Features tab.
  9. Click on Next to process to the confirmation page.
  10. Click Install to complete the process.

Changing the Account Lockout Policy

  1. Open the Group Policy Management Console (GPMC). This can be done by navigating to Start -->Run and typing gpmc.msc.
  2. Choose the domain for which the policies need to be edited and double click to expand it.
  3. Find the GPO named Default Domain Policy. Right-click on it and select the Edit option.
  4. In the Group Policy Editor console, navigate to Computer Configuration >Policies >Windows Settings >Security Settings >Account Policies > Account Lockout Policy.
  5. Double click on Account Lockout Policy and choose the policy that needs to be edited.
  6. Right-click on the required property and select Properties.
  7. The policy values can be viewed and edited under the Security tab.
  8. Check the Define this Policy Setting option, enter the desired values, and click OK.
Click here to watch a video demo on how you can change an Account Lockout Policy

Account Lockout Policy Best Practices

As mentioned earlier, the account lockout policy settings need to be implemented with careful consideration. The organization needs to assess the risk levels and choose the optimum values that suit their requirements. The following are considered to be the recommended values.
The Account lockout threshold set to 20 failed attempts, the Account lockout duration set to 15 minutes, and the Reset account lockout counter after value set to 30 minutes.

    • Related Articles

    • Account Lockout Policy

      Account Lockout Policy determines what happens when a user enters a wrong password. It ensures that an attacker can’t use a brute force attack or dictionary attack to guess and crack the user’s password. To edit the Account Lockout Policy settings, ...
    • Using Fine Grained Password Policy to exclude a single Active Directory Account from being Locked Out

      How to Exclude a Single User from Account Lockout Policy in Active Directory The Fine-Grained Password Policy is a feature that is available on Windows Server 2008 and later versions, which is used to overcome the limitations faced while using the ...
    • Managing Websites using Active Directory Group Policy Objects (GPO)

      How to Blacklist/ Whitelist and Bookmark select Websites on Browsers using GPO Organizations frequently need to block or restrict access to specific websites and applications for security and management reasons. Certain websites may not be safe and ...
    • Change the password of a domain user account using PowerShell

      Managing domain user accounts is a crucial task for system administrators, and one of the common tasks is changing a user's password. PowerShell provides a powerful and efficient way to automate this process. In this comprehensive guide, we will ...
    • Group Policy Objects

      Group Policy settings are stored in the form of Group Policy Objects (GPOs). GPOs can be created like any other active directory object and is linked to a Site, domain or OU in which the policy settings have to be applied. The GPO stores its ...