All about Active Directory Account Lockout Best Practices

Active Directory Account Lockout: Best Practices

Windows Account Lockout policies are useful when you want to limit the attempts made by people who try to access your network by guessing passwords. The account policy is also good for enforcing strong password policies. When the account lockout policy is in place, it limits the number of times a person can consecutively make login attempts with a set period. However to reduce the frequent calls to the customer desk office you need a lockout policy with increased account lockout duration, decreased lockout threshold, and an increased reset lockout counter. Windows account lockout policies are defined by three independent policies:

  1. Reset account lockout policy
  2. Account lockout duration
  3. Account lockout threshold

Generally, the account lockout policy is configured in the Group Policy Management Console. The path to the console is

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

This document reviews some of the best practices that can be used to disable a user account if a wrong password is issued within a specified period. Here are some of the best practices as used in a typical windows environment.

1.    Setting the Account Lockout Policy

You need to create a lockout policy GPO that can be edited through the following path:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

The default parameters for account lockout duration should be:

  • 1440 minutes for lockout duration
  • 10 invalid logins for account threshold
  • 0 minutes for reset account counter to ensure the account does not unlock itself.

Once the account is locked, the Administrator should determine the lockout period before intervening. Any settings between 1 and 99,999 minutes will automatically unlock the account. The policy must be set to be equal to or greater than reset account lockout counter.

The value for account threshold is the number of attempts an account can sustain when a wrong password is used

The reset counter prompts windows to look for consecutive failed attempts and counterchecks if it needs the reset account lockout after threshold.

2.    Review Account Lockouts

Account lockout investigations will be successful only through capture logs that can be used to trace where the breach is coming from. The administrator can take the following steps:

  • Enable auditing of login events
  • Enable the logging of Netlogon events
  • Kerberos auditing should also be logged.

After looking at the data coming from the enabled features above, analyze security event log files and net login files to find out the origin of the lockouts and why it is taking place. Once you have identified the machine with login errors, analyze its event logs to determine the cause.

3.    Using Account Lockout and Management Tools

Some Microsoft and third-party tools can be used to investigate account lockouts to help determine the cause. These tools send an alert in real time thus giving the help desk an easy time when asked to resolve them.

Netwrix Account Lockout Examiner

This tool helps the system administrator know of an account lockout. This is a freeware that helps identify the root cause of persistent lockouts. System administrators can access the troublesome accounts from the console. This account tool and examiner reduces the strain on the service desk who are alerted even before the user makes the call for help. A working Netwrix Account Lockout Examiner is enough evidence that the Active Directory Account Lockout policy complies with set standards. Netwrix Account Lockout is a tool Administrators can use to identify malicious attacks from viruses leading to multiple lockouts.

The AD Lockouts and Bad Password Detection

The tool is used to track the origin of lockouts in the active directory due to bad password attempts. The utility is useful in large organizations running multiple domains. The system administrator can use the tool to:

  • Search each domain for bad password attempts against a particular account(s)
  • Analyze any events related to failed login attempts on each domain controller by tracing the possible origin of the lockout

Use event logs from every machine in the network to determine if the following common causes of account lockout are present:

  • Mapped drives with open permissions
  • Old and possibly running Login and RDP sessions
  • Tasks and services running on old credentials

Microsoft Account Lockout Status Tools

This account lockout tool is available from Microsoft and can be downloaded to increase the functionality of the Active Directory. Microsoft recommends using this tool alongside the Account Passwords and Policies white paper.

The primary functions of this tool are:

  • Help in the isolation and troubleshooting locked accounts by changing user password on the domain controller. It automatically adds property pages to the user account in the Active Directory Users and Computers management console
  • On the client side, the tool determines what processes or applications are sending the wrong signals or credentials
  • You can use the tool to display account names and age of respective passwords
  • Can be used as a startup script by allowing Kerberos to run on clients using Windows 2000 and later
  • Collects events from event logs of all machines to a central location
  • The tool also identifies all domain controllers involved in a lockout by way of gathering all logs. The output is generated and saved as a .CSV file whose content can be sorted if needed.
  • The lockout tool can be used to extract and display specific entries from the Netlogon log files.

Please Note: Microsoft account lockout status tools should not be used on a server hosting network application and services as it may prevent some critical services from loading.

4.    What are The Causes of Account Lockouts

  • When the port 3389 used by the RDP is open, and brute force applied.
  • Replication in the Active Directory
  • Programs running with cached user credentials
  • Service Accounts with expired or changed passwords
  • Low password threshold settings
  • Shared drive mappings
  • Disconnected terminal sessions
  • Mobile access to the exchange server via IIS
  • User logging on multiple computers
  • Saved account credentials with redundant passwords and usernames.


An account lockout policy is in place to disable users with bad passwords from accessing the system. This policy is enforced after several attempts have been made within a specified period. Using such a policy and with the help of third-party tools and utilities prevent malicious attacks, therefore, reducing successful attacks on your network. The user can access the affected account after the System Administrator has reset the password or after the specified lockout period has lapsed.


Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *