Account Lockout – Best Practices  

Most of the organizations are migrating to the Windows 7 operating systems from the classic Windows XP operating systems , this upgrade provides administrators with granular configuration settings with respect to Group Policies and as always it is very important for administrators to configure the Account Lockout policies for their existing desktops across the globe. Most administrators would require users to log a ticket with the Helpdesk , when their account gets locked out. This scenario would vary between the organizations, Financial organizations would term account lockout policy as most critical aspect they would be dealing with assets and transactions, where are a mid-size software organization would not give more priority for account lockout policy.

 Some of the best practices after analyzing practical real world implementations is as follows, and this again might be different for different scenarios. There are 3 major policies that can be set by an administrator for Account Lockout which are  

a)     Account Lockout Duration

b)     Account Lockout Threshold

c)      Reset Account Lockout Counter After

 

Reading through the help file provided for these policies might be simple to complex , if we do not understand these policies , users might have their account lockout after first incorrect attempt, to avoid the confusion and complexity let us understand this in a layman terms. 

Account Lockout Duration : It’s the duration that users should “wait” before re-entering their password. By default it is set to 30 minutes.  

Account Lockout Threshold: It’s the number of attempts a user can enter the “wrong “ password before the system locks the user. By default it is set 0 attempts. 

Reset Account Lockout Counter After: This is tricky. This is the amount of time users can attempt wrong passwords within “Lockout Threshold”. If this counter is set to 30 min, and has 3 password attempts, then the user can enter incorrect password 3 times within 30 minutes. By default this is set to 30 minutes.

  

Some Examples :

 

Scenario 1:

Account Lockout Duration                   = 60 minutes

Account Lockout Threshold                 = 3

Reset Account Lockout Counter After = 30 minutes 

In this scenario users should wait for 60 minutes before they get a chance to re-enter the password (3 times) and users get 30 minutes before they use all 3 attempts.

 

Scenario2:  

Account Lockout Duration                   = 15 minutes

Account Lockout Threshold                 =  3

Reset Account Lockout Counter After = 10 minutes 

In this scenario users should wait for 15 minutes before they get a chance to re-enter the password (3 times) and users get 10 minutes before they use all 3 attempts.

  

Note : Make sure you never set Account Lockout Threshold to zero

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s