The Account lockout duration, Account lockout threshold and Reset account lockout counter after settings are configured in the Default Domain Policy. These settings define what will happen if a user attempts to logon to the domain using the incorrect password multiple times. Attempting to logon to OWA with an incorrect password will also increase the bad password count (badPwdCount), which will eventually lock a user out of the domain until it is reset.
Important consideration: Attackers can also use this strategy to lock users out of the network as long as they obtain valid usernames. The default settings of these Default Domain attributes are as follows:
Value | Default | Recommended | |
Account lockout duration | Specifies the number of minutes a locked out account will remain unavailable before a user can attempt to log back in Note that such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. | Windows Server 2008 - Not Defined Windows Server 2003 - Not Defined | Windows Server 2008 - 15 minutes Windows Server 2003 - 0 |
Account lockout threshold | This setting determines the number of failed logon attempts before a lockout occurs. | Windows Server 2008 - 0 Windows Server 2003 - 0 | Windows Server 2008 - 50 invalid logon attempts Windows Server 2003- 20 invalid logon attempts |
Reset account lockout counter after | This is the length of time before the Account lockout threshold setting resets to zero. | Windows Server 2008 - Not Defined Windows Server 2003 - Not Defined | Windows Server 2008 - 15 minutes Windows Server 2003 - 30 minutes |