Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

How to configure account lockout policy ?

Iron Contributor

How to configure account lockout policy ? Can create another policy and configure lockout ? or must configure Default Domain Policy ?

4 Replies
best response confirmed by Dave Patrick (MVP)
Solution

Hi @Tien Ngo Thanh 

 

Yes, you can have more than one account lock out policy. This is called Fine-Grained Password policy.

 

You must have at least Server 2008 and a domain functional level of 2008.

 

These two links show you how to set this up.

 

https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained...

 

https://blog.netwrix.com/2016/03/03/how-to-set-up-multiple-password-and-account-lockout-policies/

 

Thanks,

Mark

 

 

Hi

    please recommend help me about these service account and these account fixed in program , if they know these user and try login failure some time then these account will lockout then will effect to our program will lost connect to active directory but if no lockout then will can brute force password

Best Regards,

Thanks

Hey @Tien Ngo Thanh 

 

There are a few options:

 

You can look at Managed Service Accounts (MSAs) and see if they fit your requirements. They act like computer accounts - you don't have to manually manage the passwords going forward. They cannot be locked out, but you also cannot log on interactively with a MSA.

 

There are a few requirements for Managed Service account - it can't be shared by multiple computers or used in server clusters, needs Server 2008 R2 etc.

 

There are also Group Managed Service Accounts (gMSA's) - these run on the same principle but have much better functionality, can be used on multiple computers, support more applications etc. More information can be found here:

 

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-manage...

 

If you cannot implement MSA or gMSA because it doesn't fit your needs, then you may have to deal with service accounts. A couple of best practices I've noted are:

 

• One unique account to run the service on each server
• Try to use local account rather than a global domain account
• Strong, random password
• Change the password - this will also mean you need to change it on the service/application
• Give the account least amount of permissions it requires
• Do not share the password

 

This will be more work your side, but at least your environment will be somewhat secure.

 

Hope this helps,

Mark

@HidMov: this password can not change with it use to fix in some program connect to AD by ldap protocol

1 best response

Accepted Solutions
best response confirmed by Dave Patrick (MVP)
Solution

Hi @Tien Ngo Thanh 

 

Yes, you can have more than one account lock out policy. This is called Fine-Grained Password policy.

 

You must have at least Server 2008 and a domain functional level of 2008.

 

These two links show you how to set this up.

 

https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained...

 

https://blog.netwrix.com/2016/03/03/how-to-set-up-multiple-password-and-account-lockout-policies/

 

Thanks,

Mark

 

 

View solution in original post