Account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. These policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on your network.
Before you enable account lockout policy, it is important to realize that there is a risk of unintentionally locking authorized users out of their accounts. Such a result can be quite costly for your organization, because locked-out users cannot access their user accounts until the account unlocks automatically after a specified amount of time or until you unlock the accounts for them.
Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on a computer while they are logged on to another computer. The computer with the incorrect password continuously tries to authenticate the user, and because the password it is using to authenticate is incorrect, the user account is eventually locked out. This issue does not exist for organizations that only use domain controllers that are running Windows Server 2003 family operating systems. To avoid locking out authorized users, set the account lockout threshold to a high number. Remember, however, that the scenario in which a computer continuously tries to authenticate a user with an incorrect password is very similar to the behavior that is employed by password-cracking software. Setting the account lockout threshold high enough that the authorized user will not be locked out in this situation may inadvertently allow unauthorized access to your network by hackers.
How to apply or modify account lockout policy
For a local computer:
1. Open Local Security Settings.
2. In the console tree, click Account Lockout Policy (console tree location is: Security Settings/Account Policies/Account Lockout Policy).
3. In the details pane, right-click the policy setting that you want, and then click Properties.
4. Select the options that you want, and then click OK.
For a domain, and you are on a member server or a workstation that is joined to a domain:
1. Open Microsoft Management Console (MMC).
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Click Group Policy Object Editor, and then click Add.
4. In Select Group Policy Object, click Browse.
5. In Browse for a Group Policy Object, select a Group Policy object in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, click Account Lockout Policy (console tree location is: Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy).
8. In the details pane, right-click the policy setting that you want, and then click Properties.
9. If you are defining this policy setting for the first time, select the Define this policy setting check box.
10. Select the options that you want, and then click OK.
For a domain, and you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
1. Open Active Directory Users and Computers.
2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.
3. Click Properties, and then click the Group Policy tab.
4. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit. You can also click New to create a new GPO, and then click Edit.
5. In the console tree, click Account Lockout Policy (console tree location is: Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy).
6. In the details pane, right-click the policy setting that you want, and then click Properties.
7. If you are defining this policy setting for the first time, select the Define this policy setting check box.
8. Select the options that you want, and then click OK.
Source: Microsoft
Bookmarks