none
Account Lockout GPO

    Question

  • Hi,

    My requirement is to lockout domain user account, after 3 failed attempts. and those accounts must be unlocked by Administrator manually. I have done the below,

    1. Set the lockout duration = 0

    2. Account lockout threshold = 3

    3. Reset account lockout counter after = 15 minutes

    ---

    But after 03 failed attempts, account get locked. But again after 15 minutes, user is able to login. This means account get unlocked automatically. 

    Any suggestion to achieve this ?

    Thank you.

    MIT 

    Thursday, May 17, 2018 3:12 AM

All replies

  • You may need to review the product documentation:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy and https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.

    "The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If Account lockout threshold is set to a number greater than zero, this reset time must be less than or equal to the value of Account lockout duration."

    So, if you have the threshold set to 3, the reset time must be less than or equal to the value of account lockout duration, which you have set to 0.

    Thursday, May 17, 2018 3:22 AM
  • Hi Aaron,

    Thanks for the reply. I understand your reply.

    But, can you tell me the parameter values for my requirement ?

     lockout domain user account, after 3 failed attempts. and those accounts must be unlocked by Administrator manually  "

    Thank you.

    MIT

    Thursday, May 17, 2018 9:46 AM
  • Hello,

    Like Aaron Guilmette told you, if you have a thresold set to 3, the reset time must be less than or equal to the value of account lockout duration.

    If tested it with these value and it works fine

    Set lockout duration = 0

    Account Lockout threshold = 3

    Reset account lockout counter after = 2

    Best Regards,

    • Proposed as answer by johnarms Tuesday, May 22, 2018 8:04 PM
    Thursday, May 17, 2018 10:29 AM