%3CLINGO-SUB%20id%3D%22lingo-sub-259077%22%20slang%3D%22en-US%22%3EBuilt-In%20Administrator%20Account%20Lockout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-259077%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Jul%2011%2C%202017%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3EHello%2C%20my%20name%20is%20Jason%20Krause%20and%20this%20is%20my%20first%20time%20writing%20a%20blog%20post%20for%20AskPFEPlat.%20I%20am%20a%20Platforms%20PFE%20here%20at%20Microsoft%20and%20work%20primarily%20in%20Active%20Directory%20and%20Group%20Policy.%20Recently%20a%20customer%20approached%20me%20with%20a%20question%20I%20thought%20I%20knew%20the%20answer%20to%2C%20%22Can%20the%20administrator%20account%20be%20locked%20out%22%3F%20In%20their%20environment%2C%20a%20security%20scanning%20tool%20was%20attempting%20to%20log%20into%20the%20RID%20500%20Administrator%20account%20with%20invalid%20credentials.%20This%20activity%20was%20generating%20lock%20out%20events%20that%20were%20being%20collected%20by%20their%20security%20information%20and%20event%20management%20(SIEM).%20In%20Active%20Directory%2C%20an%20account%20lockout%20occurs%20when%20the%20amount%20of%20failed%20logon%20attempts%20exceeds%20the%20allowed%20limit%20set%20in%20Group%20Policy.%20Each%20time%20a%20bad%20password%20is%20presented%20to%20the%20domain%20controller%2C%20the%20%22badPwdCount%22%20attribute%20is%20incremented%20on%20that%20account.%20Account%20lockout%20policy%20is%20defined%20once%20per%20domain%2C%20traditionally%20in%20the%20Default%20Domain%20Policy.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20756px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F53267iE89BA39467E753DD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3CEM%3ENote%20%3C%2FEM%3E%20%3A%20The%20current%20recommended%20security%20baseline%20for%20Account%20Lockout%20Threshold%20should%20be%20set%20to%20a%20minimum%20of%2010%20invalid%20login%20attempts.%20These%20settings%20may%20not%20be%20right%20for%20your%20organization.%20Please%20refer%20to%20Aaron%20Margosis'%20post%20on%20configuring%20account%20lockout%20.%20NIST%20currently%20recommends%20limiting%20invalid%20login%20attempts%20to%20100%20.%20Account%20lockout%20threshold%3A%20How%20many%20bad%20password%20attempts%20are%20allowed%20before%20the%20account%20is%20locked%20out%20on%20the%20domain%20controller%3F%20This%20setting%20is%20also%20referred%20to%20as%20the%20%22LockoutThreshold%22%20Account%20lockout%20duration%20%3A%20How%20long%20should%20the%20account%20remain%20locked%20out%20after%20exceeding%20the%20threshold%3F%20Reset%20account%20lockout%20counter%20after%20%3A%20After%20the%20first%20bad%20password%20is%20attempted%2C%20how%20long%20should%20the%20domain%20controller%20record%20subsequent%20attempts%3F%20This%20setting%20is%20also%20referred%20to%20as%20the%20%22ObservationWindow%22%20When%20a%20normal%20domain%20user%20attempts%20to%20log%20in%20with%20an%20account%20that%20has%20been%20locked%20out%2C%20Kerberos%20returns%20a%20KDC_ERR_CLIENT_REVOKED.%20This%20is%20true%20even%20if%20the%20correct%20password%20is%20typed.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20881px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F53268i2E4F0923F3764082%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3CEM%3EKRB_AS_ERROR%2C%20KDC_ERR_CLIENT_REVOKED%3A%20Clients%20credentials%20have%20been%20revoked%2C%20Cname%3A%20testuser%2C%20Realm%3A%20contoso%2C%20Sname%3A%20krbtgt%2Fcontoso%20%3C%2FEM%3E%20When%20the%20Administrator%20(RID%20500)%20account%20is%20locked%20and%20another%20bad%20password%20is%20attempted%2C%20Kerberos%20returns%20a%20KDC_ERR_PREAUTH_FAILED.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20892px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F53269iB333A6A2383B5272%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3CEM%3EKRB_AS_ERROR%2C%20KDC_ERR_PREAUTH_FAILED%3A%20Pre-authentication%20information%20was%20invalid%2C%20Cname%3A%20administrator%2C%20Realm%3A%20contoso%2C%20Sname%3A%20krbtgt%2Fcontoso%20%3C%2FEM%3E%20The%20two%20differences%20for%20the%20Administrator%20account%20are%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20authentication%20package%20ignores%20the%20Lockout%20attribute%20and%20returns%20a%20failed%20login%3C%2FLI%3E%0A%3CLI%3EThe%20Lockout%20attribute%20is%20reset%20upon%20successful%20login.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThis%20behavior%20can%20be%20changed%20by%20modifying%20the%20domain%20PasswordProperties%20attribute%2C%20but%20I%20would%20caution%20against%20this%20change.%20%3CA%3E%20DOMAIN_PASSWORD_INFORMATION%20structure%20%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23636363%3B%22%3E%20%3CSTRONG%3E%20Value%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23636363%3B%22%3E%20%3CSTRONG%3E%20Meaning%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_PASSWORD_COMPLEX%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000001L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20The%20password%20must%20have%20a%20mix%20of%20at%20least%20two%20of%20the%20following%20types%20of%20characters%3A%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%20Uppercase%20characters%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%20Lowercase%20characters%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%20Numerals%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_PASSWORD_NO_ANON_CHANGE%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000002L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20The%20password%20cannot%20be%20changed%20without%20logging%20on.%20Otherwise%2C%20if%20your%20password%20has%20expired%2C%20you%20can%20change%20your%20password%20and%20then%20log%20on.%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_PASSWORD_NO_CLEAR_CHANGE%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000004L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20Forces%20the%20client%20to%20use%20a%20protocol%20that%20does%20not%20allow%20the%20domain%20controller%20to%20get%20the%20plaintext%20password.%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_LOCKOUT_ADMINS%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000008L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20Allows%20the%20built-in%20administrator%20account%20to%20be%20locked%20out%20from%20network%20logons.%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_PASSWORD_STORE_CLEARTEXT%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000010L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20The%20directory%20service%20is%20storing%20a%20plaintext%20password%20for%20all%20users%20instead%20of%20a%20hash%20function%20of%20the%20password.%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%3CSTRONG%3EDOMAIN_REFUSE_PASSWORD_CHANGE%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%232a2a2a%3B%22%3E%200x00000020L%3C%2FSPAN%3E%3C%2FTD%3E%0A%3CTD%3E%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20Removes%20the%20requirement%20that%20the%20machine%20account%20password%20be%20automatically%20changed%20every%20week.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%23454545%3B%22%3E%20This%20value%20should%20not%20be%20used%20as%20it%20can%20weaken%20security.%20%3C%2FSPAN%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3ETo%20answer%20the%20original%20question%2C%20you%20can%20lock%20out%20the%20administrator%20account%2C%20but%20by%20default%20it%20does%20not%20stay%20locked%20out.%20As%20long%20as%20we%20still%20have%20your%20attention%2C%20take%20the%20time%20to%20review%20our%20recommended%20practices%20on%20%3CA%3E%20securing%20built-in%20administrator%20accounts%20in%20Active%20Directory%20%3C%2FA%3E%20.%20Implementing%20these%20changes%20goes%20a%20long%20way%20towards%20securing%20your%20environment.%20Thanks%20for%20reading%2C%20and%20I%20hope%20you%20find%20this%20helpful!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-259077%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Jul%2011%2C%202017%20Hello%2C%20my%20name%20is%20Jason%20Krause%20and%20this%20is%20my%20first%20time%20writing%20a%20blog%20post%20for%20AskPFEPlat.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-259077%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EJasonKrause%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

First published on TechNet on Jul 11, 2017
Hello, my name is Jason Krause and this is my first time writing a blog post for AskPFEPlat. I am a Platforms PFE here at Microsoft and work primarily in Active Directory and Group Policy. Recently a customer approached me with a question I thought I knew the answer to, "Can the administrator account be locked out"? In their environment, a security scanning tool was attempting to log into the RID 500 Administrator account with invalid credentials. This activity was generating lock out events that were being collected by their security information and event management (SIEM). In Active Directory, an account lockout occurs when the amount of failed logon attempts exceeds the allowed limit set in Group Policy. Each time a bad password is presented to the domain controller, the "badPwdCount" attribute is incremented on that account. Account lockout policy is defined once per domain, traditionally in the Default Domain Policy. Note : The current recommended security baseline for Account Lockout Threshold should be set to a minimum of 10 invalid login attempts. These settings may not be right for your organization. Please refer to Aaron Margosis' post on configuring account lockout . NIST currently recommends limiting invalid login attempts to 100 . Account lockout threshold: How many bad password attempts are allowed before the account is locked out on the domain controller? This setting is also referred to as the "LockoutThreshold" Account lockout duration : How long should the account remain locked out after exceeding the threshold? Reset account lockout counter after : After the first bad password is attempted, how long should the domain controller record subsequent attempts? This setting is also referred to as the "ObservationWindow" When a normal domain user attempts to log in with an account that has been locked out, Kerberos returns a KDC_ERR_CLIENT_REVOKED. This is true even if the correct password is typed. KRB_AS_ERROR, KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked, Cname: testuser, Realm: contoso, Sname: krbtgt/contoso When the Administrator (RID 500) account is locked and another bad password is attempted, Kerberos returns a KDC_ERR_PREAUTH_FAILED. KRB_AS_ERROR, KDC_ERR_PREAUTH_FAILED: Pre-authentication information was invalid, Cname: administrator, Realm: contoso, Sname: krbtgt/contoso The two differences for the Administrator account are

  1. The authentication package ignores the Lockout attribute and returns a failed login
  2. The Lockout attribute is reset upon successful login.

This behavior can be changed by modifying the domain PasswordProperties attribute, but I would caution against this change. DOMAIN_PASSWORD_INFORMATION structure

Value Meaning
DOMAIN_PASSWORD_COMPLEX 0x00000001L
  • The password must have a mix of at least two of the following types of characters:
  • Uppercase characters
  • Lowercase characters
  • Numerals
DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.
DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L Forces the client to use a protocol that does not allow the domain controller to get the plaintext password.
DOMAIN_LOCKOUT_ADMINS 0x00000008L Allows the built-in administrator account to be locked out from network logons.
DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L The directory service is storing a plaintext password for all users instead of a hash function of the password.
DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L Removes the requirement that the machine account password be automatically changed every week. This value should not be used as it can weaken security.

To answer the original question, you can lock out the administrator account, but by default it does not stay locked out. As long as we still have your attention, take the time to review our recommended practices on securing built-in administrator accounts in Active Directory . Implementing these changes goes a long way towards securing your environment. Thanks for reading, and I hope you find this helpful!