Configuring Account Lockout Policies
Account lockout policies control how and when accounts are locked out of the domain or the local system. These policies are described and implemented as follows:
Account Lockout Duration. If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked. The lockout duration can be set to a specific length of time using a value between 1 and 99,999 minutes.
.gif "Dd277400.w2kab016(en-us,TechNet.10).gif")
The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.
.gif "Dd277400.w2kab017(en-us,TechNet.10).gif")
Account Lockout Threshold: The Account lockout threshold sets the number of invalid logon attempts that are allowed before an account is locked out. If lockout controls are used they should be set to a value that balances the need to prevent account cracking against the needs of users who are having difficulty accessing their accounts.
A primary reason users may not be able to access their accounts properly the first time is that they forgot their passwords. If this is the case, it may take them several attempts to log on properly. Workgroup users could also have problems accessing a remote system where their current passwords do not match the passwords the remote system expects. If this happens, several bad logon attempts may be recorded by the remote system before the user ever gets a prompt to enter the correct password. The reason is that Windows 2000 may attempt to automatically log on to the remote system. In a domain environment, this normally does not occur.
The lockout threshold can be set to any value from 0 to 999. If the lockout threshold is set to zero, accounts will not be locked out due to invalid logon attempts. Any other value sets a specific lockout threshold. Keep in mind that the higher the lockout value, the higher the risk that a hacker may be able to break into a system.
.gif "Dd277400.w2kab018(en-us,TechNet.10).gif")
Reset Account Lockout Threshold After: Every time a logon attempt fails, Windows 2000 raises the value of a threshold that tracks the number of bad logon attempts. The Reset account lockout threshold after setting determines how long the lockout threshold is maintained. This threshold is reset in one of two ways. If a user logs on successfully, the threshold is reset. If the waiting period for Reset account lockout threshold after has elapsed since the last bad logon attempt, the threshold is also reset.
By default, the lockout threshold is maintained for one minute, but any value can be set from 1 to 99,999 minutes. As with Account lockout threshold, select a value that balances security needs against user access needs. A good value is from one to two hours. This waiting period should be long enough to force hackers to wait longer than they want to before trying to access the account again.
.gif "Dd277400.w2kab019(en-us,TechNet.10).gif")
.gif "Dd277400.w2kab016(en-us,TechNet.10).gif")
.gif "Dd277400.w2kab017(en-us,TechNet.10).gif")
.gif "Dd277400.w2kab018(en-us,TechNet.10).gif")
.gif "Dd277400.w2kab019(en-us,TechNet.10).gif")
Note: Bad logon attempts to a workstation against a password-protected screen saver do not increase the lockout threshold. Similarly, if a server or workstation is locked using Ctrl+Alt+Delete, bad logon attempts against the Unlock dialog box do not count.
Unlocking a User Account
Once an account lockout threshold has been set, user accounts will be locked immediately after executing the specified number of invalid login attempts. Initial invalid login attempts will be presented to the user in a Logon Message as shown below.
.gif "Dd277400.w2kab020(en-us,TechNet.10).gif")
The final invalid login attempt will inform the user that the account has been locked by presenting the Logon Message shown below.
.gif "Dd277400.w2kab021(en-us,TechNet.10).gif")
An authorized administrator can unlock the user account as follows:
Click on Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, double-click the domain node.
Find the user account from the appropriate organizational unit, right-click on the user account, and select Properties.
In the user properties dialog box, select the Account tab.
Remove the check mark from the Account is locked out selection box, and click on the Apply button.
Click on the OK button to close the user properties dialog box.
.gif "w2kab022")