Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to set account lockout policies in Windows 2000 and Windows Server 2003


View products that this article applies to.

Introduction

To help secure your network, you can use account lockout policies for domain accounts or for local user accounts. An account lockout policy is a Microsoft Windows security feature that locks a user account if a designated number of failed logon attempts occur within a specified time frame. These variables are based on security policy lockout settings. You cannot log on to the network through a locked account until the lockout period has expired.

In Microsoft Windows 2000 and in later versions of Windows, you can configure account lockout policies in the Active Directory directory service. To configure account lockout policies in Windows 2000, use the ADSI Edit snap-in to edit Active Directory and to change the PwdProperties attribute in the domain naming context. When you make this change on one domain controller, the change is replicated to all other domain controllers on your network.

Note If you want to set the administrator account lockout policy in a Microsoft Windows NT 4.0 environment, use the Passprop.exe utility from the Windows NT 4.0 Resource Kit.

↑ Back to the top


More information

To configure the account lockout policies in Active Directory, follow these steps:
  1. Install the ADSI snap-in if it is not already installed on your system. This snap-in is included in the Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
    301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

    Warning If you use the ADSI Edit snap-in, and you incorrectly modify the attributes of Active Directory objects, you may cause serious problems. These problems may require that you reinstall Windows 2000 Server, Microsoft Exchange 2000 Server, or both. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  2. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
  3. Expand Domain NC [Your_Domain_Name].
  4. Right-click DC=Your_Domain_Name,DC=Your_Domain_Name, and then click Properties.
  5. Click the Attributes tab, and then in the Select a property to view list, click pwdProperties.
  6. In the Edit Attribute box, type the value that you want to use. The following value options are available.
    ValuePassword policy
    0Passwords can be simple, and the administrator account cannot be locked out.
    1Passwords must be complex, and the administrator account cannot be locked out.
    8Passwords can be simple, and the administrator account can be locked out.
    9Passwords must be complex, and the administrator account can be locked out.
  7. Click Set, click Apply, and then click OK.
  8. Quit the ADSI Edit snap-in.

↑ Back to the top


Keywords: KB885119, kbinfo, kbhowto

↑ Back to the top

Article Info
Article ID : 885119
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 344