How to set account lockout policies in Windows 2000 and Windows Server 2003 (885119)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition

INTRODUCTION

To help secure your network, you can use account lockout policies for domain accounts or for local user accounts. An account lockout policy is a Microsoft Windows security feature that locks a user account if a designated number of failed logon attempts occur within a specified time frame. These variables are based on security policy lockout settings. You cannot log on to the network through a locked account until the lockout period has expired.

In Microsoft Windows 2000 and in later versions of Windows, you can configure account lockout policies in the Active Directory directory service. To configure account lockout policies in Windows 2000, use the ADSI Edit snap-in to edit Active Directory and to change the PwdProperties attribute in the domain naming context. When you make this change on one domain controller, the change is replicated to all other domain controllers on your network.

Note If you want to set the administrator account lockout policy in a Microsoft Windows NT 4.0 environment, use the Passprop.exe utility from the Windows NT 4.0 Resource Kit.

MORE INFORMATION

To configure the account lockout policies in Active Directory, follow these steps:
  1. Install the ADSI snap-in if it is not already installed on your system. This snap-in is included in the Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

    301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer


    Warning If you use the ADSI Edit snap-in, and you incorrectly modify the attributes of Active Directory objects, you may cause serious problems. These problems may require that you reinstall Windows 2000 Server, Microsoft Exchange 2000 Server, or both. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  2. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
  3. Expand Domain NC [Your_Domain_Name].
  4. Right-click DC=Your_Domain_Name,DC=Your_Domain_Name, and then click Properties.
  5. Click the Attributes tab, and then in the Select a property to view list, click pwdProperties.
  6. In the Edit Attribute box, type the value that you want to use. The following value options are available.
    ValuePassword policy
    0Passwords can be simple, and the administrator account cannot be locked out.
    1Passwords must be complex, and the administrator account cannot be locked out.
    8Passwords can be simple, and the administrator account can be locked out.
    9Passwords must be complex, and the administrator account can be locked out.
  7. Click Set, click Apply, and then click OK.
  8. Quit the ADSI Edit snap-in.
Modification Type:MajorLast Reviewed:8/1/2005
Keywords:kbhowto kbinfo KB885119 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.