Wednesday, September 2, 2009

windows account security

The domain (active directory) policy will override any local security setup for a particular account on a server. If the domain security policy says that an account will lock after 5 failed attempts and the local security policy says the account will lock after 3 attempts, the account will lock out after 5 attempts.
Here's the interesting thing:
The account lockout counter is reset every 24 hours or with every passed login attempt. So if you have two services using the same account, one with a correct password and one with an incorrect password, you can likely run indefinitely before the account will lock out. One service will never work and you should get a lot of errors in the security event log.

1 comment:

Anonymous said...


Thanks for sharing your suggestions and best-practices on password policies.

By the way, recently one of my Microsoft colleagures informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports including which accounts are locked out, where all a user may have permissions etc.

The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from

If you're into Active Directory security, then this tool is a must-have. Best of all its FREE, SUPPORTED and ENDORSED by Microsoft!

Thought I'd share this helpful tip with you!