SOLVED
Home

How to configure account lockout policy ?

%3CLINGO-SUB%20id%3D%22lingo-sub-826894%22%20slang%3D%22en-US%22%3EHow%20to%20configure%20account%20lockout%20policy%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826894%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20configure%20account%20lockout%20policy%20%3F%20Can%20create%20another%20policy%20and%20configure%20lockout%20%3F%20or%20must%20configure%26nbsp%3BDefault%20Domain%20Policy%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-826894%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827931%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20account%20lockout%20policy%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827931%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234118%22%20target%3D%22_blank%22%3E%40Tien%20Ngo%20Thanh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20you%20can%20have%20more%20than%20one%20account%20lock%20out%20policy.%20This%20is%20called%20Fine-Grained%20Password%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20must%20have%20at%20least%20Server%202008%20and%20a%20domain%20functional%20level%20of%202008.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20two%20links%20show%20you%20how%20to%20set%20this%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcanitpro%2F2013%2F05%2F29%2Fstep-by-step-enabling-and-using-fine-grained-password-policies-in-ad%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fcanitpro%2F2013%2F05%2F29%2Fstep-by-step-enabling-and-using-fine-grained-password-policies-in-ad%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblog.netwrix.com%2F2016%2F03%2F03%2Fhow-to-set-up-multiple-password-and-account-lockout-policies%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.netwrix.com%2F2016%2F03%2F03%2Fhow-to-set-up-multiple-password-and-account-lockout-policies%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832417%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20account%20lockout%20policy%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832417%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20please%20recommend%20help%20me%20about%20these%20service%20account%20and%20these%20account%20fixed%20in%20program%20%2C%20if%20they%20know%20these%20user%20and%20try%20login%20failure%20some%20time%20then%20these%20account%20will%20lockout%20then%20will%20effect%20to%20our%20program%20will%20lost%20connect%20to%20active%20directory%20but%20if%20no%20lockout%20then%20will%20can%20brute%20force%20password%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832513%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20account%20lockout%20policy%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832513%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234118%22%20target%3D%22_blank%22%3E%40Tien%20Ngo%20Thanh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20few%20options%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20look%20at%20Managed%20Service%20Accounts%20(MSAs)%20and%20see%20if%20they%20fit%20your%20requirements.%20They%20act%20like%20computer%20accounts%20-%20you%20don't%20have%20to%20manually%20manage%20the%20passwords%20going%20forward.%20They%20cannot%20be%20locked%20out%2C%20but%20you%20also%20cannot%20log%20on%20interactively%20with%20a%20MSA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20few%20requirements%20for%20Managed%20Service%20account%20-%20it%20can't%20be%20shared%20by%20multiple%20computers%20or%20used%20in%20server%20clusters%2C%20needs%20Server%202008%20R2%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20also%20Group%20Managed%20Service%20Accounts%20(gMSA's)%20-%20these%20run%20on%20the%20same%20principle%20but%20have%20much%20better%20functionality%2C%20can%20be%20used%20on%20multiple%20computers%2C%20support%20more%20applications%20etc.%20More%20information%20can%20be%20found%20here%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fgroup-managed-service-accounts-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fgroup-managed-service-accounts-overview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20cannot%20implement%20MSA%20or%20gMSA%20because%20it%20doesn't%20fit%20your%20needs%2C%20then%20you%20may%20have%20to%20deal%20with%20service%20accounts.%20A%20couple%20of%20best%20practices%20I've%20noted%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%E2%80%A2%20One%20unique%20account%20to%20run%20the%20service%20on%20each%20server%3CBR%20%2F%3E%E2%80%A2%20Try%20to%20use%20local%20account%20rather%20than%20a%20global%20domain%20account%3CBR%20%2F%3E%E2%80%A2%20Strong%2C%20random%20password%3CBR%20%2F%3E%E2%80%A2%20Change%20the%20password%20-%20this%20will%20also%20mean%20you%20need%20to%20change%20it%20on%20the%20service%2Fapplication%3CBR%20%2F%3E%E2%80%A2%20Give%20the%20account%20least%20amount%20of%20permissions%20it%20requires%3CBR%20%2F%3E%E2%80%A2%20Do%20not%20share%20the%20password%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20be%20more%20work%20your%20side%2C%20but%20at%20least%20your%20environment%20will%20be%20somewhat%20secure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-842803%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20configure%20account%20lockout%20policy%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-842803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%3A%20this%20password%20can%20not%20change%20with%20it%20use%20to%20fix%20in%20some%20program%20connect%20to%20AD%20by%20ldap%20protocol%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tien Ngo Thanh
Regular Contributor

How to configure account lockout policy ? Can create another policy and configure lockout ? or must configure Default Domain Policy ?

4 Replies
Solution

Hi @Tien Ngo Thanh 

 

Yes, you can have more than one account lock out policy. This is called Fine-Grained Password policy.

 

You must have at least Server 2008 and a domain functional level of 2008.

 

These two links show you how to set this up.

 

https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained...

 

https://blog.netwrix.com/2016/03/03/how-to-set-up-multiple-password-and-account-lockout-policies/

 

Thanks,

Mark

 

 

Hi

    please recommend help me about these service account and these account fixed in program , if they know these user and try login failure some time then these account will lockout then will effect to our program will lost connect to active directory but if no lockout then will can brute force password

Best Regards,

Thanks

Hey @Tien Ngo Thanh 

 

There are a few options:

 

You can look at Managed Service Accounts (MSAs) and see if they fit your requirements. They act like computer accounts - you don't have to manually manage the passwords going forward. They cannot be locked out, but you also cannot log on interactively with a MSA.

 

There are a few requirements for Managed Service account - it can't be shared by multiple computers or used in server clusters, needs Server 2008 R2 etc.

 

There are also Group Managed Service Accounts (gMSA's) - these run on the same principle but have much better functionality, can be used on multiple computers, support more applications etc. More information can be found here:

 

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-manage...

 

If you cannot implement MSA or gMSA because it doesn't fit your needs, then you may have to deal with service accounts. A couple of best practices I've noted are:

 

• One unique account to run the service on each server
• Try to use local account rather than a global domain account
• Strong, random password
• Change the password - this will also mean you need to change it on the service/application
• Give the account least amount of permissions it requires
• Do not share the password

 

This will be more work your side, but at least your environment will be somewhat secure.

 

Hope this helps,

Mark

@HidMov: this password can not change with it use to fix in some program connect to AD by ldap protocol

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies