Introduction to Active Directory account policies
Passwords are the most common target for hackers if they want to get into an organization’s network. Some of the most common methods of password hacking are brute-force attacks and dictionary attacks. To prevent such attacks, Active Directory (AD) has a set of policies to protect passwords and user accounts. These policies are grouped under the security settings as account policies and are categorized into:
- Password policies: These policies define how passwords should be created.
- Account lockout policies: These policies define how an account should be handled in case of an authentication failure.
Password policies are a set of conditions or rules on how users should create passwords for their accounts. They define the password’s length, complexity, maximum and minimum age, whether users can repeat previously set passwords, and whether passwords should be stored using reversible encryption. You can read more about password policies here.
Account lockout policies
AD account lockout policies are a set of policies that define the instructions for how the account should be handled in case of a failed logon attempt. This policy comes in handy during brute-force or dictionary attack attempts. There are three lockout policies under this category:
- Account Lockout Duration
- Account Lockout Threshold
- Reset Account Lock-out Counter After
1. Account lockout duration:
This policy determines the duration for which an account would remain locked out after a defined number of failed logon attempts, before the account gets unlocked again. Account lockout duration is defined in minutes, and it can be set between 0 and 99,999 minutes. The number of incorrect password entries is defined by the account lockout threshold policy. Hence, the account lockout duration setting will work only if the account lockout threshold is defined.
Note: If you set the account lockout duration to zero minutes, the account will not be unlocked automatically. It will remain locked until the administrator manually unlocks the account. To disable account lockouts, you need to turn off the policy.
2. Account lockout threshold
This policy setting determines the number of failed logon attempts after which the user gets locked out of the account. Account lockout threshold is defined in number of attempts, and its value can be set from 0 to 999. When the value is set to 0, the account will never get locked out.
By default, the account lockout threshold value is set to 0.
3. Reset account lockout counter after
This lockout policy setting determines the duration after which the failed logon attempt counter is reset to 0. This policy is defined in minutes, and the value can be set from 1 and 99,999 minutes. Similar to the account lockout duration setting, this also needs the account lockout threshold to be determined. This is because only if there is a threshold for the number of failed logon attempts, this policy can use that threshold as a metric to reset the counter.
It should be noted that when defining the reset account lockout counter after policy, the value should be set the same or less than the account lockout duration.
Difference between ‘Account lockout duration’ and ‘Reset account lockout counter after ‘ policies
Often, administrators get confused between the Reset Account Lockout After and Account Lockout Duration policy settings. Account lockout policy determines an account’s lockout duration after the account gets locked out. The reset account lockout counter after policy defines the duration within which the account lockout threshold count should be considered. For example, let’s assume that the ‘reset account lockout counter after’ value is set to 5 minutes, and the account lockout threshold is set to 3 attempts. The timer will begin from the first failed logon attempt. If the user fails the logon attempt 3 times consecutively within 5 minutes, the account will get locked. However, if the user fails the logon attempts only once or twice consecutively within 5 minutes, the failed logon counter will reset to 0, and the timer will begin from the next failed logon attempt.
How to set account lockout policy in Active Directory
The account lockout policies can be set and edited using Group Policy objects (GPO). You can view and edit the account lockout policies by following these steps:
- From Start, open the Group Policy Management console.
- Choose the domain for which you want to define or edit the policies from the console tree, and then double click on the domain to view the GPOs linked to the domain
- Right click on Default Domain Policy, and click Edit.
- In the Group Policy Editor console that opens, navigate to Computer configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy.
- Double-click on Account Lockout Policy, and choose the policy you want to edit.
- Click on Properties. In the dialog box that opens, you can define the policy values in the Security tab.
- Check the Define this Policy Setting box, and then you can enter the desired value. Click OK after that.
Account lockout policies scope
The account lockout policies are applied to the accounts in the domain of an AD network, and they are also applied to local accounts present in the member servers. You could only enforce one account lockout policy for a domain until the introduction on WIndows Server 2008.
Account lockout policy best practices
Setting the account lockout policies must be done with the utmost care. Ideally, an optimum value for each policy should be defined in order to strike a good balance between security and convenience. Here are values that you could follow:
- Account lockout threshold value set to to 20.
- Account lockout duration value set to 15 minutes.
- Reset account lockout counter after value set to 30 minutes.
Fine-grained password policies in Windows Server 2008
Initially, Active Directory allowed only one account lockout policy to be defined for a domain. This meant that if you wanted to set a different policy setting for a group of users, say a stricter policy configuration for a group of high-level employees such as CXOs or administrators, you would have to create a new domain. However, Windows Server 2008 introduced ‘Fine-grained password policies’ which negated the need for such a hassle. This new functionality isn’t limited only to password policies as it also includes account lockout policies. You can now set different password and account lockout policies using password setting objects (PSO). You can learn more about fine-grained password policies here.