Describe the different account lockout policies and how to display or manipulate them.
Display the account lockout policy:
net accounts net accounts /domain
|Lockout threshold||0||This count is the number of bad password attempts for an account that will be accepted before the account is locked out. A value of 0 means accounts will never lock out.|
|Lockout duration (minutes)||?||Amount of time that an account will be locked out until it is automatically re-enabled. A value of 0 requires a manual action to re-enable the account.|
|Lockout observation window (minutes)||?||Time duration over which bad logon attempts are counter. After this time frame passes, the bad logon attempts counter is reset to 0.|
By default, the original administrator account cannot be locked out. This applies only to the original administrator (SID 500), even if that account is renamed.
Usually implemented via PAM Tally.
grep tally /etc/pam.d/*; grep tally /etc/pam.conf
Reset the number of failed password attempts using
faillog -r -u [login_name]