What are the Active Directory account lockout settings?

Body

Overview

Account lockouts are used to limit the potential for brute-force password cracking against our directory services. After a specific number of bad password attempts an account will be temporarily blocked from authentication.

 

Warning

The most common reason for an Active Directory account lockout is a remembered password in a wireless profile. If it is not updated on password change it can cause an account lockout.

 

Lockout Settings

The on-premises Microsoft Active Directory Domain Services (AD DS) bad password lockout settings are:

  • 20 bad password attempts in 10 minutes will lockout an account for 10 minutes.

 

Unlocking an Account

We typically recommend forgetting the wireless profile on all devices and then waiting 10 minutes for the account to automatically unlock. Our support teams can verify your account is in a lockout state and remove the lock earlier if necessary.

 

Support Teams

Note: Support teams can search for log entries with the Event Code "0xC0000234" to see if an account is locked out. It is also possible to search for "0xC000006A" and "0x18" for bad password attempts to find why the account may have been locked. If an account is locked, the lock can be removed by editing the account in Toolbox and selecting the "unlock" option.

 

Microsoft AD FS

The on-premises Microsoft Active Directory Federation Service (AD FS) "soft lockout" is slightly more restrictive to avoid denial of service from brute force password checking against the SSO service. The AD FS soft lockout settings are:

  • 15 bad password attempts in 10 minutes will lockout an account for 10 minutes.

 

 

 

Details

Details

Article ID: 1781
Created
Mon 12/21/20 8:54 PM
Modified
Wed 10/9/24 12:15 PM