Account lockout policy overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Account lockout policy overview

Account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. These policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on your network. For more information about how to implement account lockout policy, see Apply or modify account lockout policy.

Before you enable account lockout policy, it is important to realize that there is a risk of unintentionally locking authorized users out of their accounts. Such a result can be quite costly for your organization, because locked-out users cannot access their user accounts until the account unlocks automatically after a specified amount of time or until you unlock the accounts for them.

Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on a computer while they are logged on to another computer. The computer with the incorrect password continuously tries to authenticate the user, and because the password it is using to authenticate is incorrect, the user account is eventually locked out. This issue does not exist for organizations that only use domain controllers that are running Windows ServerĀ 2003 family operating systems. To avoid locking out authorized users, set the account lockout threshold to a high number. Remember, however, that the scenario in which a computer continuously tries to authenticate a user with an incorrect password is very similar to the behavior that is employed by password-cracking software. Setting the account lockout threshold high enough that the authorized user will not be locked out in this situation may inadvertently allow unauthorized access to your network by hackers. For more information about the account lockout threshold, see Account lockout threshold.

For more information about passwords and their policies, see Passwords.