Account Lockout

Describe the different account lockout policies and how to display or manipulate them.


Display the account lockout policy:

net accounts
net accounts /domain
Setting Default Description
Lockout threshold 0 This count is the number of bad password attempts for an account that will be accepted before the account is locked out. A value of 0 means accounts will never lock out.
Lockout duration (minutes) ? Amount of time that an account will be locked out until it is automatically re-enabled. A value of 0 requires a manual action to re-enable the account.
Lockout observation window (minutes) ? Time duration over which bad logon attempts are counter. After this time frame passes, the bad logon attempts counter is reset to 0.


Usually implemented via PAM Tally.

grep tally /etc/pam.d/*; grep tally /etc/pam.conf