This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 76%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
I am trying clarify some of specific settings within a domain password policy (settings report was produced based on Get-ADDefaultDomainPasswordPolicy). For info - there are no additional fine grained password policies in operation which may supersede the default policy. The lockout threshold setting is currently set to 5, but confusingly the lockout duration is currently set to 0 which I assumed meant there is no real time based lock in place to protect accounts from password guessing/brute force attacks.... unless the setting of 0 means a Microsoft default time value will apply, e.g. 15 minutes? Is there any logical reason you can think of why you would set lockout duration to 0 if you have purposely set a lockout threshold to 5, i.e. is there anything else that may be in operation which supersedes/removes the need for applying an appropriate value for the duration setting?
Secondly, the lockout observation window has a really strange value of 69:10:39:00 - what does this represent in terms of minutes, or timeframes hh:mm, how can we convert it into something meaningful? And does this parameter have any impact (e.g. supersede) on the lack of a value in the lockout duration parameter?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 43%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Any Question my Answer?
Hi, crib bar.
this is Chaboon.
IF you would set lockout duration to 0 and you have purposely set a lockout threshold to 5, the user who is locked out after five incorrect passwords remains locked out forever unless an administrator lifts the lockout.
and "69:10:39:00" means "99999" minutes, and Active Directory lockout observation maximum limit is 99999 minutes.
So these settings is not a contradiction.
Regards,
