Understanding Windows' Account Lockout Security Feature

A: From its early versions, Windows has come with a security feature known as account lockout. Windows account lockout assures that domain user accounts automatically become unusable when a user has entered a certain number of bad passwords. The bad password threshold is defined by a domain administrator in the account lockout security policy. Account lockout protects against account spoofing and hijacking.When an account is locked out, only an administrator can unlock it. To do so, the administrator must open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and clear the “Account is locked out” checkbox in the Account tab of the Account Properties.Don't confuse account lockout with the disabling of an account. The latter is the consequence of an explicit action performed by the administrator; it doesn’t occur automatically following, for example, a set of security policy settings. Figure 1 illustrates the Windows Server 2003 and Windows 2000 Server account lockout process. In this process, a domain’s PDC emulator plays a key role.

If the user’s BadPwdCount property exceeds the value defined in the Account Lockout Threshold of the domain’s lockout policy (as explained later), the user’s account will be marked as locked out. The BadPwdCount property is automatically reset to 0 when the user enters a correct password following a set of bad password entries.In Windows 2003, the DCs also perform a password history check before a user’s BadPwdCount attribute is incremented. The password that the user provides is checked against the two last passwords in the user object’s password history (stored in the NtPwdHistory AD user object attribute).In addition to the BadPwdCount property, every Windows 2003 AD user account object also has the BadPasswordTime account lockout-related property. The BadPasswordTime property contains the last time the user, machine, or service submitted a bad password to the authenticating DC. Both the BadPwdCount and the BadPasswordTime property aren't replicated between all DCs. The authenticating DC replicates it only to the PDC emulator of the domain.A Windows 2000 and later domain’s account lockout policy settings are set from the account lockout portion of a domain Group Policy Object (GPO). They're located in the Computer ConfigurationWindows SettingsSecurity SettingsAccount Policies GPO container. Like other account policies (e.g., password and Kerberos policies), you can apply them only at the Windows domain level.Table 1, below, shows a set of recommended values for the account lockout policy settings. To make sure that account policies (including account lockout policies) are always evaluated (i.e., to make sure that logging on using cached credentials won’t work), it’s also advisable to use the “Interactive logon: require domain controller authentication to unlock workstation” GPO setting (also known as the forceunlocklogon registry hack).