How to configure account lockout policy ?

Iron Contributor

How to configure account lockout policy ? Can create another policy and configure lockout ? or must configure Default Domain Policy ?

4 Replies
best response confirmed by Dave Patrick (MVP)

Hi @Tien Ngo Thanh 


Yes, you can have more than one account lock out policy. This is called Fine-Grained Password policy.


You must have at least Server 2008 and a domain functional level of 2008.


These two links show you how to set this up.







    please recommend help me about these service account and these account fixed in program , if they know these user and try login failure some time then these account will lockout then will effect to our program will lost connect to active directory but if no lockout then will can brute force password

Best Regards,


Hey @Tien Ngo Thanh 


There are a few options:


You can look at Managed Service Accounts (MSAs) and see if they fit your requirements. They act like computer accounts - you don't have to manually manage the passwords going forward. They cannot be locked out, but you also cannot log on interactively with a MSA.


There are a few requirements for Managed Service account - it can't be shared by multiple computers or used in server clusters, needs Server 2008 R2 etc.


There are also Group Managed Service Accounts (gMSA's) - these run on the same principle but have much better functionality, can be used on multiple computers, support more applications etc. More information can be found here:


If you cannot implement MSA or gMSA because it doesn't fit your needs, then you may have to deal with service accounts. A couple of best practices I've noted are:


• One unique account to run the service on each server
• Try to use local account rather than a global domain account
• Strong, random password
• Change the password - this will also mean you need to change it on the service/application
• Give the account least amount of permissions it requires
• Do not share the password


This will be more work your side, but at least your environment will be somewhat secure.


Hope this helps,


@HidMov: this password can not change with it use to fix in some program connect to AD by ldap protocol