3.2.5.2 Account Lockout Policies

  • Article

Account Lockout policies are set by doing the following:

If the Key name in the GPO inf file is "LockoutBadCount", "ResetLockoutCount", or "LockoutDuration":

  1. Perform external behavior consistent with locally invoking SamrQueryInformationDomain ([MS-SAMR] section 3.1.5.5.2) to obtain the existing domain account lockout information.

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainLockoutInformation.

    • The PSAMPR_DOMAIN_INFO_BUFFER MUST be a pointer to a PSAMPR_DOMAIN_INFO_BUFFER containing allocated memory sufficient to contain a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure ([MS-SAMR] section 2.2.3.15).

  2. Perform external behavior consistent with locally invoking SamrSetInformationDomain ([MS-SAMR] section 3.1.5.6.1).

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainLockoutInformation.

    • The DomainInformation MUST be a PSAMPR_DOMAIN_INFO_BUFFER containing a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure. The client-side plug-in MUST set each of the account lockout policy values specified in the GPO inf file to a SAMPR_DOMAIN_LOCKOUT_INFORMATION structure member according to the mapping in the following rules:

      For the LockoutBadCount setting the client-side snap-in MUST set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutThreshold member to the setting value.

      For the ResetLockCount setting, the client-side snap-in MUST set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutObservationWindow member to the value resulting from the transformation specified in the right-hand column in the following table.

      ResetLockCount value

      DOMAIN_LOCKOUT_INFORMATION LockoutObservationWindow member value

      X (any value)

      -1*X*60 * 10000000

For the LockoutDuration setting, the client-side snap-in MUST map the setting value in the GPO inf file to one of the values in the left-hand column of the following table, and set the SAMPR_DOMAIN_LOCKOUT_INFORMATION structure LockoutDuration member to the value resulting from the transformation specified in the corresponding right-hand column in the following table.

LockoutDuration value

DOMAIN_LOCKOUT_INFORMATION LockoutDuration member value

-1

0x8000000000000000

X (any value 1 to 99,999)

-1*X*60 * 10000000

If the Key name is "ForceLogoffWhenHourExpire":

  1. Perform external behavior consistent with locally invoking SamrQueryInformationDomain ([MS-SAMR] section 3.1.5.5.2) to obtain the existing domain account logoff information.

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainLogoffInformation.

    • The PSAMPR_DOMAIN_INFO_BUFFER MUST be a pointer to a PSAMPR_DOMAIN_INFO_BUFFER containing allocated memory sufficient to contain a DOMAIN_LOGOFF_INFORMATION ([MS-SAMR] section 2.2.3.6) structure.

  2. Perform external behavior consistent with locally invoking SamrSetInformationDomain ([MS-SAMR] section 3.1.5.6.1).

    • The DomainHandle MUST be set to a Domain handle opened by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) to obtain a handle to the domain of the current machine.

    • The DomainInformationClass MUST be set to DomainLogoffInformation.

      The DomainInformation MUST be a PSAMPR_DOMAIN_INFO_BUFFER containing a DOMAIN_LOGOFF_INFORMATION structure. The client-side plug-in MUST match the ForceLogoffWhenHourExpire setting value to one of the values in the left-hand column of the following table and set the DOMAIN_LOGOFF_INFORMATION structure member to the corresponding value in the right-hand column of the following table.

      ForceLogoffWhenHourExpire value

      DOMAIN_LOGOFF_INFORMATION ForceLogoff member value

      1

      0

      0

      0x8000000000000000