AD default domain password policy advice

crib bar 616 Reputation points

I am trying clarify some of specific settings within a domain password policy (settings report was produced based on Get-ADDefaultDomainPasswordPolicy). For info - there are no additional fine grained password policies in operation which may supersede the default policy. The lockout threshold setting is currently set to 5, but confusingly the lockout duration is currently set to 0 which I assumed meant there is no real time based lock in place to protect accounts from password guessing/brute force attacks.... unless the setting of 0 means a Microsoft default time value will apply, e.g. 15 minutes? Is there any logical reason you can think of why you would set lockout duration to 0 if you have purposely set a lockout threshold to 5, i.e. is there anything else that may be in operation which supersedes/removes the need for applying an appropriate value for the duration setting?

Secondly, the lockout observation window has a really strange value of 69:10:39:00 - what does this represent in terms of minutes, or timeframes hh:mm, how can we convert it into something meaningful? And does this parameter have any impact (e.g. supersede) on the lack of a value in the lockout duration parameter?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,962 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
{count} votes

Accepted answer
  1. チャブーン 551 Reputation points MVP

    Hi, crib bar.

    this is Chaboon.

    IF you would set lockout duration to 0 and you have purposely set a lockout threshold to 5, the user who is locked out after five incorrect passwords remains locked out forever unless an administrator lifts the lockout.

    and "69:10:39:00" means "99999" minutes, and Active Directory lockout observation maximum limit is 99999 minutes.

    So these settings is not a contradiction.


    0 comments No comments

0 additional answers

Sort by: Most helpful