If you are a server administrator who does or does not use Active Directory Directory Services, you probably have had this “situation” before: it was still 9AM, the day was barely started when one of the users showed up by your cubicle with a burning torch and other torture devices forming in their mind. They were angry because it had been an hour that they had been trying to login to the server but they keep going from one obstacle to another.
If the password had expired, they probably changed it to something, but then they forgot the new one or entered it wrong a few times because they were still trying to wake up to the day and their caffein intake for the day hadn’t kicked in yet. So, they tried and tried and tried so much that they found themselves locked out of their account. An hour later, they decided to show up to your office and demand–or maybe just–ask for help.
So, you look at them and help them calm down a little bit with a smile and a few kind words while you are trying to figure out what is it that’s happening. Then you remember the life-saving summary from Microsoft TechNet you had gotten familiar with:
Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Beginning with Windows Server 2003, Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached.
The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
With that said, you finally went to the designated location to Edit Group Policy and tweaked the values for any combination of the following 3 options:
The Account Lockout Policy is one of the interesting areas of Windows Policies where a there is no one-size-fits-all formula for all environments. A decent blog entry on TechNet describes a good case study and how they come to the decision for the number of failed attempts before lockout and the duration of the suspension. They also considered exceptions such as: you can attempt up to two different password an not get them to count against your number of failed attempts as long as they were both recent valid passwords.
Alright, with all this back to mind, you were able to go and get a solution allowing the now happy user to log onto their machine and server and let them work.