What are the on-premises Active Directory account lockout settings?

Overview

Account lockouts are used to limit the potential for brute-force password cracking against our directory services. After a specific number of bad password attempts an account will be temporarily blocked from authentication.

Note: The most common reason for an Active Directory account lockout is a remembered password in a wireless profile. If it is not updated on password change it can cause an account lockout.

 

Details

The on-premises Microsoft Active Directory Domain Services (AD DS) bad password lockout settings are 20 bad password attempts in 10 minutes will lockout an account for 10 minutes.

The on-premises Microsoft Active Directory Federation Service (AD FS) "soft lockout" is slightly more restrictive to avoid denial of service from brute force password checking against the SSO service. The soft lockout settings are 15 bad password attempts in 10 minutes will lockout an account for 10 minutes.

Support teams can search for log entries with the Event Code "0xC0000234" to see if an account was locked out. It is also possible to search for "0xC000006A" and "0x18" for bad password attempts to find why the account may have been locked.
100% helpful - 1 review

Details

Article ID: 1781
Created
Mon 12/21/20 5:54 PM
Modified
Thu 9/29/22 4:54 PM