JSI Tip 8704. How do I set account lockout policies in Windows 2000 using ADSI Edit?

Account lockout policies can be set for domain accounts, or local user accounts, to help secure your network if a designated number of failed logon attempts occur within a designated time frame. When an account is locked out, the user cannot log on until the lockout period expires.

NOTE: In Windows NT 4.0, you can use the Passprop.exe utility from the Windows NT 4.0 Server Resource Kit.

NOTE: If you haven't installed the ADSI Edit snap-in, see How do I install the Windows 2000 Support Tools to a Windows 2000 Server?

To set the account lockout policy using ADSI Edit:

1. Open ADSI Edit (Start / Run / ADSIEdit.msc / OK).

2. Expand Domain \[<ServerName>.<Your_Domain_Name>\].

3. Right-click DC=<DomainName>,DC=<DomainSuffix> and press Properties.

4. In the Attribute list, select pwdProperties.

5. If required, press Edit.

6. Type one of the following Values:

0  Passwords can be simple, and the administrator account cannot be locked out.  
1  Passwords must be complex, and the administrator account cannot be locked out. 
8  Passwords can be simple, and the administrator account can be locked out.  
9  Passwords must be complex, and the administrator account can be locked out.
7. If a Set button exists, press Set, press Apply, press OK. If no Set button exists, press OK and press Apply.

8. Quit the ADSI Edit snap-in.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish