Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Account Lockout policies are set by doing the following:
If the Key name in the GPO inf file is "LockoutBadCount", "ResetLockoutCount", or "LockoutDuration":
Perform external behavior consistent with locally invoking SamrQueryInformationDomain ([MS-SAMR] section 3.1.5.5.2) to obtain the existing domain account lockout information.
The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.
The DomainInformationClass MUST be set to DomainLockoutInformation.
The PSAMPR_DOMAIN_INFO_BUFFER MUST be a pointer to a PSAMPR_DOMAIN_INFO_BUFFER containing allocated memory sufficient to contain a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure ([MS-SAMR] section 2.2.3.15).
Perform external behavior consistent with locally invoking SamrSetInformationDomain ([MS-SAMR] section 3.1.5.6.1).
The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.
The DomainInformationClass MUST be set to DomainLockoutInformation.
The DomainInformation MUST be a PSAMPR_DOMAIN_INFO_BUFFER containing a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure. The client-side plug-in MUST set each of the account lockout policy values specified in the GPO inf file to a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure member according to the mapping in the following rules:
For the LockoutBadCount setting the client-side snap-in MUST set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutThreshold member to the setting value.
For the ResetLockCount setting, the client-side snap-in MUST set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutObservationWindow member to the value resulting from the transformation specified in the right-hand column in the following table.
ResetLockCount value
DOMAIN_LOCKOUT_INFORMATION LockoutObservationWindow member value
X (any value)
-1*X*60 * 10000000
For the LockoutDuration setting, the client-side snap-in MUST map the setting value in the GPO inf file to one of the values in the left-hand column of the following table, and set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutDuration member to the value resulting from the transformation specified in the corresponding right-hand column in the following table.
|
LockoutDuration value |
DOMAIN_LOCKOUT_INFORMATION LockoutDuration member value |
|---|---|
|
-1 |
0x8000000000000000 |
|
X (any value 1 to 99,999) |
-1*X*60 * 10000000 |
If the Key name is "ForceLogoffWhenHourExpire":
Perform external behavior consistent with locally invoking SamrQueryInformationDomain ([MS-SAMR] section 3.1.5.5.2) to obtain the existing domain account logoff information.
The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.
The DomainInformationClass MUST be set to DomainLogoffInformation.
The PSAMPR_DOMAIN_INFO_BUFFER MUST be a pointer to a PSAMPR_DOMAIN_INFO_BUFFER containing allocated memory sufficient to contain a DOMAIN_LOGOFF_INFORMATION ([MS-SAMR] section 2.2.3.6) structure.
Perform external behavior consistent with locally invoking SamrSetInformationDomain ([MS-SAMR] section 3.1.5.6.1).
The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.
The DomainInformationClass MUST be set to DomainLogoffInformation.
The DomainInformation MUST be a PSAMPR_DOMAIN_INFO_BUFFER containing a DOMAIN_LOGOFF_INFORMATION structure. The client-side plug-in MUST match the ForceLogoffWhenHourExpire setting value to one of the values in the left-hand column of the following table and set the DOMAIN_LOGOFF_INFORMATION structure member to the corresponding value in the right-hand column of the following table.
ForceLogoffWhenHourExpire value
DOMAIN_LOGOFF_INFORMATION ForceLogoff member value
1
0
0
0x8000000000000000