Account Lockout Policy: Configuration Guide

by Robert Allen

In this guide, you will learn about the three account lockout policy settings and how to properly configure each policy setting.

I’ll be referring to the recommended account lockout policy settings from both the Windows Security Baseline (aka Microsoft Security Toolkit) and the CIS benchmarks.

Table of contents:

What are Account Lockout Policies?

An account lockout policy is a set of three group policy settings that control when and for how long a user account is to be locked out.

This policy is critical for security as it can help prevent malicious users or hackers from accessing your account and computer systems.

What is a lockout?

When you have an account lockout policy configured a user account will be locked out after so many failed login attempts.

For example, if a hacker entered the wrong password three times the account would be locked out if there is a properly configured lockout policy. This helps to prevent unauthorized access to your network. If no policy is configured or was incorrectly configured a hacker could keep guessing an account’s password.

By default, Active Directory has no account lockout policy.

In the next section, I’ll go over each policy setting, the default value, and the recommended settings.

Related: How to Find the Source of Account Lockouts

Account Lockout Policy Settings and Best Practices

In group policy the lockout policy settings are located at:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

Here is a screenshot of the default settings. By default, these policy settings are not defined.

It’s common for these settings to be configured using the Default Domain Policy GPO, but you can add them to a new or existing GPO. It’s up to you.

Account Lockout Duration

The account lockout duration setting determines the number of minutes that an account is locked out before it automatically unlocks.

If you set this policy to 0 then the account will not automatically unlock and must be unlocked manually by an administrator.

For example, if the account lockout duration was set to 15 minutes and the user “joe.smith” became locked out. It would automatically unlock after 15 minutes.

Recommended settings:

  • Windows Security Baseline: 15 minutes
  • CIS Benchmarks: 15 or more minutes

Account lockout threshold

The account lockout threshold setting determines the number of failed logon attempts that caused a user account to be locked out.

When an account is locked-out, it cannot be used until it is manually reset or automatically reset by the lockout duration policy.

For example, if the lockout threshold was set to 5 and the user “joe.smith” tried to logon 5 times with the wrong password, the account would be locked. And Joe would not be able to logon until the account was manually unlocked by an administrator or reset by the lockout duration policy.

Recommended settings:

  • Windows Security Baseline: 10
  • CIS Benchmarks: 5 or fewer but not 0

Microsoft says:

The threshold that you select is a balance between operational efficiency and security, and it depends on your organization’s risk level. To allow for user error and to thwart brute force attacks, Windows security baselines recommend a value of 10 could be an acceptable starting point for your organization.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold

In my opinion, I think 10 allows too many password attempts. I would instead recommend 5 or fewer for the lockout threshold.

Reset Account Lockout Counter After

This policy setting determines the time in minutes that the failed logon attempt counter resets to 0 bad logon attempts.

For example, if the user “joe.smith” tries to logon and enters the wrong password, this will increment the failed logon attempt counter. This policy will reset that counter to 0.

It is recommended that this policy is set to less than or equal to the account lockout duration.

Recommended settings:

  • Windows Security Baseline: 15 minutes
  • CIS Benchmarks: 15 or more minutes

So now that you know what each setting does and its recommended settings, let’s walk through creating an account lockout policy.

How to Create an Account Lockout Policy

For these steps, I’ll use the CIS benchmark’s recommended settings.

Step 1: Check Account Lockout Policy with PowerShell

It is a good idea to check your domain’s current lockout policy before modifying or creating a new one.

You can easily do this with the below PowerShell command.

Get-ADDefaultDomainPasswordPolicy | Select LockoutDuration,LockoutObservationWindow,LockoutThreshold | FL

The screenshot below is from my test lab.

Step 2: Edit the Default Domain Policy

If you prefer, you can add these settings to another GPO or create a new one. Microsoft by default includes a password policy in the default domain policy, so I like to keep the lockout policy in the same GPO.


Step 3: Modify the Account Lockout Policy

In the default domain policy navigate to the account lockout policy section.

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

To modify each policy setting just double-click the policy to edit its settings. For example, I opened the “Account lockout duration”, entered 30, and clicked ok.

Set the 3 policy settings to your requirements. Again, I’ll use the CIS benchmark recommended settings.

  • Account lockout duration: 30 minutes
  • Account lockout threshold: 5 invalid logon attempts
  • Reset account lockout counter after: 30 minutes

Once completed, all 3 policy settings should then be defined.

Step 4: Test the Account Lockout Policy

To test the policy attempt, logon and enter the wrong password 5 times (or whatever you set the lockout threshold to) and the account should become locked out.

Below is a screenshot of my account being locked out after 5 failed logon attempts.

I will now have to wait 30 minutes or have an administrator manually unlock my account before I can attempt to logon again.

That is it for this guide.

If you have questions or comments please post them below.

2 thoughts on “Account Lockout Policy: Configuration Guide”

  1. Alexis Aubry

    Straightforward, thanks Robert

    Reply
  2. Harry

    Understandable and useful, thanks.

    Reply

Leave a Comment