How to set account lockout policies in Windows 2000 and Windows Server 2003

Article translations Article translations
Article ID: 885119 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

To help secure your network, you can use account lockout policies for domain accounts or for local user accounts. An account lockout policy is a Microsoft Windows security feature that locks a user account if a designated number of failed logon attempts occur within a specified time frame. These variables are based on security policy lockout settings. You cannot log on to the network through a locked account until the lockout period has expired.

In Microsoft Windows 2000 and in later versions of Windows, you can configure account lockout policies in the Active Directory directory service. To configure account lockout policies in Windows 2000, use the ADSI Edit snap-in to edit Active Directory and to change the PwdProperties attribute in the domain naming context. When you make this change on one domain controller, the change is replicated to all other domain controllers on your network.

Note If you want to set the administrator account lockout policy in a Microsoft Windows NT 4.0 environment, use the Passprop.exe utility from the Windows NT 4.0 Resource Kit.

MORE INFORMATION

To configure the account lockout policies in Active Directory, follow these steps:
  1. Install the ADSI snap-in if it is not already installed on your system. This snap-in is included in the Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
    301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

    Warning If you use the ADSI Edit snap-in, and you incorrectly modify the attributes of Active Directory objects, you may cause serious problems. These problems may require that you reinstall Windows 2000 Server, Microsoft Exchange 2000 Server, or both. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  2. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
  3. Expand Domain NC [Your_Domain_Name].
  4. Right-click DC=Your_Domain_Name,DC=Your_Domain_Name, and then click Properties.
  5. Click the Attributes tab, and then in the Select a property to view list, click pwdProperties.
  6. In the Edit Attribute box, type the value that you want to use. The following value options are available.
    Collapse this tableExpand this table
    ValuePassword policy
    0Passwords can be simple, and the administrator account cannot be locked out.
    1Passwords must be complex, and the administrator account cannot be locked out.
    8Passwords can be simple, and the administrator account can be locked out.
    9Passwords must be complex, and the administrator account can be locked out.
  7. Click Set, click Apply, and then click OK.
  8. Quit the ADSI Edit snap-in.

Properties

Article ID: 885119 - Last Review: October 30, 2006 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords: 
kbhowto kbinfo KB885119

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com