Overview
Account lockouts are used to limit the potential for brute-force password cracking against our directory services. After a specific number of bad password attempts an account will be temporarily blocked from authentication.
The most common reason for an Active Directory account lockout is a remembered password in a wireless profile. If it is not updated on password change it can cause an account lockout.
The on-premises Microsoft Active Directory Domain Services (AD DS) bad password lockout settings are:
- 20 bad password attempts in 10 minutes will lockout an account for 10 minutes.
We typically recommend forgetting the wireless profile on all devices and then waiting 10 minutes for the account to automatically unlock. Our support teams can verify your account is in a lockout state and remove the lock earlier if necessary.
Support Teams
Note: Support teams can search for log entries with the Event Code "0xC0000234" to see if an account is locked out. It is also possible to search for "0xC000006A" and "0x18" for bad password attempts to find why the account may have been locked. If an account is locked, the lock can be removed by editing the account in Toolbox and selecting the "unlock" option.
The on-premises Microsoft Active Directory Federation Service (AD FS) "soft lockout" is slightly more restrictive to avoid denial of service from brute force password checking against the SSO service. The AD FS soft lockout settings are:
- 15 bad password attempts in 10 minutes will lockout an account for 10 minutes.