Account Lockout Policy Technical Overview
Updated: May 2, 2012
Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista
This topic for IT professional describes account lockout policies beginning with Windows Server 2003.
An account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. The account lockout policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on your network. When the policy is set, each failed domain logon attempt is recorded on the primary domain controller (PDC). When the set threshold is reached, the PDC locks the account and prevents it from successfully logging on. When the password is reset by an administrator or by a policy-enabled reset wait time, then the attribute on the PDC is reset to zero.
Account lockout policies apply to domain accounts. Account lockout is an interaction between a client computer and a domain controller and implements the following process:
The client computer presents the user logon information to a domain controller. This includes the user's account name and a cryptographic hash of the password. This information can be sent to any domain controller and is typically sent to the domain controller that is identified as the closest domain controller to the client computer.
When a domain controller detects that an authentication attempt did not work and a condition of STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE, or STATUS_ACCOUNT_LOCKED_OUT is returned, the domain controller forwards the authentication attempt to the PDC emulator operations master. The domain controller queries the PDC to authoritatively determine if the password is current. The domain controller queries the PDC for this information because the domain controller may not have the most current password for the user, but the PDC emulator operations master always has the most current password.
The authentication request is retried by the PDC emulator operations master to verify that the password is correct. If the PDC emulator operations master rejects the bad password, the PDC emulator operations master increments the badPwdCount attribute for that user object. The PDC is the authority on the user's password validity.
The failed logon result information is sent by the PDC emulator operations master to the authenticating domain controller.
The authenticating domain controller then sends a response to the client computer that notifies the domain controller that the logon attempt did not work.
As long as that user, program, or service continues to send incorrect credentials to the authenticating domain controller, logon attempts that failed because of an incorrect password continue to be forwarded to the PDC until the threshold value for incorrect logon attempts is reached (if it is set in a policy). When this occurs, the account is locked out.
Before you enable an account lockout policy, it is important to realize that there is a risk of unintentionally locking authorized users out of their accounts. Such a result can be quite costly for your organization, because locked-out users cannot access their user accounts until the account unlocks automatically after a specified amount of time or until the accounts are unlocked manually.
Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly. To avoid locking out authorized users, set the account lockout threshold to a high number. Remember, however, that the scenario in which a computer continuously tries to authenticate a user with an incorrect password is very similar to the behavior that is employed by password-cracking software. Setting the account lockout threshold high enough that the authorized user will not be locked out in this situation may inadvertently allow unauthorized access to your network by malicious users.
The following reference topics provide details about the account lockout policies: