#ADVANCED GET FOR WINDOWS XP SECURITY KEY PASSWORD#
Configuring a Fine-Grain Password Policyįigure 3.11. They cannot be applied to any of these Active Directory container objects. Fine-grain policies also represent a major departure from Microsoft's previous instructions to administrators to adopt a site-, domain-, and OU- based management style. Most companies will no longer require their previous workarounds, and Microsoft expects that many who adopted more complex domain structures will be consolidating and simplifying their forests. The limitation led to all kinds of complicated technical workarounds and the use of more complex domain and forest structures, which increased management costs.Īlthough fine-grain policies are certainly not as easy to use as traditional GPOs, they are a step in the right direction. For many midsize to large organizations, this provided an unacceptable level of security. A single effective set of policy settings was enforced for all users. In Windows 20 forests, you could apply these settings only at the domain level. Notes from the Underground… A Long-Awaited Password and Account Policy Solutionįine-grain password and account lockout policy is new in Windows Server 2008. Be careful not to set this option too high, or your users could lock themselves out through simple typographical errors. If this value is set to 45 minutes, and user jsmith types his password incorrectly two times before logging on successfully, his running tally of failed logon attempts will reset to 0 after 45 minutes have elapsed. Reset account lockout counter after This option defines the amount of time in minutes after a bad logon attempt that the “counter” will reset. Setting this option to 0 means that accounts on your network will never be locked out. ■Īccount lockout threshold This option determines the number of invalid logon attempts that can occur before an account will be locked out. Select a lockout duration that will deter intruders without crippling your authorized users 30 to 60 minutes is sufficient for most environments. Setting this option to 0 means that the account will remain locked out until an administrator manually unlocks it. Using Account Lockout Policy, you can configure the following settings: ■Īccount lockout duration This option determines the amount of time that a locked-out account will remain inaccessible. You’ll see the screen shown in Figure 3.7. Navigate to the account lockout policy by clicking Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy. At that time, the count will start over at one. Reset account lockout counter after You can choose to have the account lockout counter reset after a number of minutes. If this value is set to 0, the account will not lock out. After the threshold has been reached, the account will be locked out. ■Īccount lockout threshold This specifies the number of failed attempts at logon a user is allowed before the account is locked out (for example, three). When set to 0, the account will remain locked out until an administrator manually unlocks it. When you define the policy, the default time is 30 minutes.
For example, if the account locks out for two hours, the user can try again after that time. There are three options: ■Īccount lockout duration You can specify the time in minutes that the account can be locked out. Thus, numerous failed logons can indicate that someone is trying a brute-force password attack (trying to keep guessing the password until he or she gets it right). We can usually assume that a legitimate user might type his or her password incorrectly once or twice, but not numerous times.
Account lockout policies are used by administrators to lock out an account when someone tries to log on unsuccessfully several times in a row.