why account lock out is not exact number of retries?


  • Windows Server 2008 R2

    i have successfully implement account lockout after a certain number of failed login attempt. the thread is here

    account lockout

    i opened this new thread because i noticed, even i have set the number of retries to be 5, the AD account only gets locked after the 6th retry. i was expecting it to be locked at exactly after the 5th login attempt.

    could there be a hidden setting or is this how it should behave?

    Tuesday, January 17, 2017 9:53 AM

All replies

  • Hi,

    I've just tested this in lab, where lockout threshold  is 10.
    Right after 10th attempt to logon with bad password, account has been locked.
    I've checked bad password count with
    Get-ADUser User -Properties badpwdcount,lockedout -Server YOUR_PDC | Select name,badpwdcount,lockedout
    • Edited by BearEater Tuesday, January 17, 2017 11:25 AM
    Tuesday, January 17, 2017 11:24 AM
  • Hi Reno,

    Not all logon attempts with a bad password count against the account lockout threshold. Passwords that match one of the two most recent passwords in password history will not increment the badPwdCount. Nor will they update the badPasswordTime attribute of the user

    • Proposed as answer by SachinWaghmare Wednesday, January 18, 2017 9:16 AM
    Tuesday, January 17, 2017 11:42 AM
  • yes it does say locked out right after the Nth attempt. however, the message that tells the person that the account has been locked only appears after the Nth+1 try, say, N=5 then i get the message of account lockout on my 6th attempt to login.

    i was kinda hoping it would tell me immediately after the Nth try but i guess this will do.


    Tuesday, January 17, 2017 11:42 AM
  • Run this command after attempting bad password for the account,check how counter works here or you are having some issue in the replication itself

    Nltest /user:test1 /server:PDCServer  the output will be like "BadPasswordCount on PDC is 0x0" for your case when its got 0x5 it will lock 

    Tuesday, January 17, 2017 12:02 PM
  • if i use,

    Get-ADUser user1 -Properties badpwdcount,lockedout -Server dc1 | Select name,badpwdcount,lockedout

    i get,

    name                                                             badpwdcount                       lockedout
    ----                                                                -----------                               ---------
    user1                                                                         5                                   True

    if i run,

    nltest /user:user /server:dc1

    i get,

    Cannot open SAM\SAM\Domains\Account\Users\Names\user1:Status = 2 0x2 ERROR_FILE_NOT_FOUND

    i checked my replication and there are no issues.

    • Edited by Reno Mardo Tuesday, January 17, 2017 12:32 PM pasted wrong copy
    Tuesday, January 17, 2017 12:25 PM
  • Hi,
    It seems that the account is locked out after the attempts reach lockout threshold, just the lockout message is returned when the N+1 attempt is tried. In my experience, it may be by design, if you want to get the notification immediately, maybe, we could use the script to monitor the account lockout and notice users. Please see:
    How to send account lockout email notification
    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, January 18, 2017 8:33 AM