Apply or modify account lockout policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To apply or modify account lockout policy

  • For a local computer

  • For a domain, and you are on a member server or a workstation that is joined to a domain

  • For a domain, and you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed

For a local computer

  1. Open Local Security Settings.

  2. In the console tree, click Account Lockout Policy (console tree location is: Security Settings/Account Policies/Account Lockout Policy).

  3. In the details pane, right-click the policy setting that you want, and then click Properties.

  4. Select the options that you want, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

For a domain, and you are on a member server or a workstation that is joined to a domain

  1. Open Microsoft Management Console (MMC).

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Click Group Policy Object Editor, and then click Add.

  4. In Select Group Policy Object, click Browse.

  5. In Browse for a Group Policy Object, select a Group Policy object in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.

  6. Click Close, and then click OK.

  7. In the console tree, click Account Lockout Policy (console tree location is: Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy).

  8. In the details pane, right-click the policy setting that you want, and then click Properties.

  9. If you are defining this policy setting for the first time, select the Define this policy setting check box.

  10. Select the options that you want, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.

For a domain, and you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.

  3. Click Properties, and then click the Group Policy tab.

  4. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit. You can also click New to create a new GPO, and then click Edit.

  5. In the console tree, click Account Lockout Policy (console tree location is: Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy).

  6. In the details pane, right-click the policy setting that you want, and then click Properties.

  7. If you are defining this policy setting for the first time, select the Define this policy setting check box.

  8. Select the options that you want, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

Caution

  • When account lockout policy is enabled, there is a risk of locking out legitimate users. To avoid locking out legitimate users who have simply mistyped or misremembered their passwords, set the account lockout threshold to a high number.

    Also, if a password is changed on one computer, but the user is logged on to another computer with the old password, the computer with the old password continuously attempts to authenticate the user by using the old password, and it eventually locks out the user account. This issue does not exist for organizations that only use domain controllers that are running Windows Server 2003 family operating systems.

Note

  • For more information about each of the account lockout policy settings, see "Account Lockout Policy" in Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Account lockout policy overview
Password Best practices
Passwords
Account Lockout Policy