|
Question : What means setting: Reset Account Lockout Counter After
|
|
Dear Experts, I found this in a book about account lockout settings But I dont't understand the third item: "Reset Account Lockout Counter After". Can someone PLEASE explain it to me?
Account Lockout Threshold This policy configures the number of invalid logon attempts that will trigger account lockout. The value can be in the range of 0 to 999. A value that is too low (as few as three, for example) may cause lockouts due to normal, human error at logon. A value of 0 will result in accounts never being locked out. The lockout counter is not affected by logons to locked workstations.
Account Lockout Duration This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a users account. The policy is not set by default, as it is useful only in conjunction with the Account Lockout Threshold policy. Although the policy accepts values ranging from 0 to 99999 minutes, or about 10 weeks, a low setting (5 to 15 minutes) is sufficient to reduce attacks significantly without unreasonably affecting legitimate users who are mistakenly locked out. A value of 0 will require the user to contact appropriate administrators to unlock the account manually.
Reset Account Lockout Counter After This setting specifies the time that must pass after an invalid logon attempt before the counter resets to zero. The range is 1 to 99999 minutes, and must be less than or equal to the account lockout duration.
Greetings,
Peter Kiers
|
Answer : What means setting: Reset Account Lockout Counter After
|
|
As an example; if you set the "Account Lockout Threshold" to 6 and a user gets their password wrong 6 times, their account will be locked out for the time set in "Account Lockout Duration". However, if they got it wrong 2 times, that is recorded and remembered for the time set in "Reset Account Lockout Counter After". Therefore if the latter were set to 24 hours, and a user got their password wrong as stated, 2 times when logging on in the morning, if they connect later that same day, they have only 4 attempts (total of 6) before they will be locked out. It is an accumulative counter. It must be set equal to or grater than Account Lockout Duration.
|
|
|
|