Active Directory Domain User Account Lockout Policy

The Active Directory Domain User Account Lockout Policy determines the user account behavior after a user has been locked out of the account. There are three settings for account lockout policies, located in domain group policy, Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. The user is normally locked out after a number of defined failed logon attempts.

To open the domain group policy settings, open Active Directory Users and Computers MMC snap-in (DSA.MSC), select Start > Administrative Tools > Active Directory Users and Computers or type DSA.MSC in the run dialog box and hit enter. Right clich the domain and select the "Properties" from the context menu. Select the "Default Domain Policy" inside the "Group Policy" tab, and click "Edit".

1) Account Lockout Duration: Account Lockout Duration determines how long the user will be locked out before the user account is unlocked. The account will be locked out indefinitely when this value is set to 0. An administrator should unlock if the user want to logon again.

2) Account Lockout Threshold: Account Lockout Threshold value determines how many failed logon attempts happened before a user will be locked out of the account. If this setting is 0, the account will never be locked out.

3) Reset Account Lockout Counter After: Reset Account Lockout Counter After setting determines the number of minutes after a failed log on attempt, again the logon counter is reset to zero. Reset Account Lockout Counter After setting value must be less than or equal to the Account Lockout Duration setting.