Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Password Lockout GPO

Posted on 2011-05-12
5
Medium Priority
?
949 Views
Last Modified: 2012-05-11
Can someone explain to me in lamons terms the difference between "Account Lockout Duration" and "Reset Account Lockout Counter After" in Windows 2008 GPO. I've listed a screenshot. To me, it sounds like the are doing the same thing.....please help me understand.
lock.JPG
0
Comment
Question by:wantabe2
5 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1200 total points
ID: 35748543
Lockout duration is how long it gets locked out for

reset counter after is the period during the invalid attempts are logged

For Example

If the invalid attempts is set to 3
and Reset counter after is set to 30min

You can ty two invalid passwords , then in 30 mins time try another twice, and so on
unless you make three invalid attempts within 30mins your account will not be locked
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 800 total points
ID: 35748546
So the Account Lockout Duration is how long before the account is unlocked,  so say it is 60 minutes like you see it there.  If I lock my account out then come back from lunch then my account is no longer locked

http://msdn.microsoft.com/en-us/library/ms813429.aspx

Reset Account Lockout Counter is the actual time until the counter for invalid attempts is set back to 0

So say my password is Password

then I enter

Pasword
Passsword
passworD

So at this point the counter is set to 3...you have a threshold of 10 there

I go to lunch and come back in an hour now my counter is back to 0 because of the 30 minute setting

http://technet.microsoft.com/en-us/library/cc784599(WS.10).aspx

thanks

Mike
0
 
LVL 8

Expert Comment

by:spiderwilk007
ID: 35748559
Account lockout duration is the amount of time the account remains locked out.
Reset account lockout counter is the amount of time it stores a bad login attempt in memory.

So you have account lockout threashold to 10 those ten failed attempts have to occur in a 30 minute period if the first occured at 12:30p it will no long count as a bad login attempt after 1:01p

0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35748563
Duration is how long it is locked out.

Reset is how long will your invalid attempt count. Like lets say I tried 9 times and worried that I might get locked out. I can come back in 31 minutes and then I can try 9 more times.
0
 
LVL 5

Expert Comment

by:Noduzz
ID: 35748594
Account Lockout Duration is the time the account will be locked out for once the account gets locked out.  Reset Account Lockout Counter after is a the length of time until the lockout counter gets reset.  So if a person sets it to 30 minutes and a person logs in 3 out of the 10 times the wrong way they have another 30 minutes until that counter gets reset.  If they log in 7 more times incorrectly within the 30 minutes then their account will get locked out but if they fail 7 times after 30 minutes of the initial 3 incorrect logins then they would still have 3 more attempts.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question