Skip navigation

Understanding Windows' Account Lockout Security Feature

A: From its early versions, Windows has come with a security feature known as account lockout. Windows account lockout assures that domain user accounts automatically become unusable when a user has entered a certain number of bad passwords. The bad password threshold is defined by a domain administrator in the account lockout security policy. Account lockout protects against account spoofing and hijacking. When an account is locked out, only an administrator can unlock it. To do so, the administrator must open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and clear the “Account is locked out” checkbox in the Account tab of the Account Properties. Don't confuse account lockout with the disabling of an account. The latter is the consequence of an explicit action performed by the administrator; it doesn’t occur automatically following, for example, a set of security policy settings. Figure 1 illustrates the Windows Server 2003 and Windows 2000 Server account lockout process. In this process, a domain’s PDC emulator plays a key role.

  1. A user attempts to log on to a Windows domain using a wrong password.
  2. The authenticating DC detects the incorrect password. To make sure that the user really entered an incorrect password--and that the problem isn't caused by Active Directory (AD) replication latency--the authenticating DC double-checks with the domain’s PDC emulator.
  3. The PDC emulator checks the password and determines that's it's wrong. The PDC emulator increments by 1 the BadPwdCount attribute in the user account object’s properties.
  4. The PDC emulator informs the authenticating DC about the fact that the user’s password was wrong.
  5. The authenticating DC updates the BadPwdCount attribute in his local AD copy of the user account object.
  6. The system informs the user that he provided an incorrect password.

If the user’s BadPwdCount property exceeds the value defined in the Account Lockout Threshold of the domain’s lockout policy (as explained later), the user’s account will be marked as locked out. The BadPwdCount property is automatically reset to 0 when the user enters a correct password following a set of bad password entries. In Windows 2003, the DCs also perform a password history check before a user’s BadPwdCount attribute is incremented. The password that the user provides is checked against the two last passwords in the user object’s password history (stored in the NtPwdHistory AD user object attribute). In addition to the BadPwdCount property, every Windows 2003 AD user account object also has the BadPasswordTime account lockout-related property. The BadPasswordTime property contains the last time the user, machine, or service submitted a bad password to the authenticating DC. Both the BadPwdCount and the BadPasswordTime property aren't replicated between all DCs. The authenticating DC replicates it only to the PDC emulator of the domain. A Windows 2000 and later domain’s account lockout policy settings are set from the account lockout portion of a domain Group Policy Object (GPO). They're located in the Computer Configuration\Windows Settings\Security Settings\Account Policies GPO container. Like other account policies (e.g., password and Kerberos policies), you can apply them only at the Windows domain level. Table 1, below, shows a set of recommended values for the account lockout policy settings. To make sure that account policies (including account lockout policies) are always evaluated (i.e., to make sure that logging on using cached credentials won’t work), it’s also advisable to use the “Interactive logon: require domain controller authentication to unlock workstation” GPO setting (also known as the forceunlocklogon registry hack).

Table 1
Account Lockout Policy Setting Value / Meaning
Account lockout duration (ObservationWindow) 0-9999 minutes (Defaults to 30) Recommended value: 30 Specifies the amount of time after which an account's badPwdCount attribute is reset.
Account lockout threshold (LockoutTreshold 0-999 invalid logon attempts (Defaults to 0) Recommended value: 10 Specifies the number of times a user can send a bad password to the authentication service before the account is locked out. An "account lockout threshold" with value 0 means that account lockouts are disabled in the domain.
Reset account lockout after (LockoutDuration) 0-99999 minutes (Defaults to 30) Recommended value: 30 (for environments with normal security requirements) and 0 (for environments for with high security requirements). Specifies the amount of time that lockout is enforced on an account that has exceeded the Account lockout threshold value. If "reset account lockout after" is set to 0 it means that a locked-out account remains locked out forever.
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.