AD account lockout policy settings

The default domain policy has three account lockout policy settings.

  • Account lockout threshold
    • Sets the number of time a password can be entered in wrong before the account will be locked out.
  • Account lockout duration
    • Sets how long the account will be locked out for, before automatically unlocks
  • Reset lockout counter
    • The time before the failed account logon counter is reset.


Powershell can also be used to set these values, with Set-ADDefaultDomainPasswordPolicy

Get-ADDefaultDomainPasswordPolicy | Set-ADDefaultDomainPasswordPolicy -LockoutThreshold 10

Leave a Reply