Account Lockout

Describe the different account lockout policies and how to display or manipulate them.


Display the account lockout policy:

net accounts
net accounts /domain
Setting Default Description
Lockout threshold 0 This count is the number of bad password attempts for an account that will be accepted before the account is locked out. A value of 0 means accounts will never lock out.
Lockout duration (minutes) ? Amount of time that an account will be locked out until it is automatically re-enabled. A value of 0 requires a manual action to re-enable the account.
Lockout observation window (minutes) ? Time duration over which bad logon attempts are counter. After this time frame passes, the bad logon attempts counter is reset to 0.

By default, the original administrator account cannot be locked out. This applies only to the original administrator (SID 500), even if that account is renamed.


Usually implemented via PAM Tally.

grep tally /etc/pam.d/*; grep tally /etc/pam.conf

Reset the number of failed password attempts using faillog -r -u [login_name]