- Free Edition
- Quick Links
- Active Directory Auditing
- Active Directory auditor
- Active Directory monitoring
- Account lockout analyzer
- Login monitoring software
- Active Directory change notifier
- User logon audit reports
- AD logon logoff tracker
- User logon failure auditing
- Login history tracking tool
- AD change auditor
- Insider threat detection software
- Permissions change auditing
- Entra ID reporting
- Privileged user monitoring
- User behavior analytics tool
- Active Directory security monitoring
- Group Policy auditing tool
- GPO change auditor
- Entra ID auditing
- Audit user account management
- OU change auditor
- Audit group membership changes
- Active Directory auditing and reporting tool
- GPO reporting tool
- Remote desktop monitoring software
- PowerShell logging and auditing
- Azure password protection auditing
- Azure sign-in risk detection
- File Server Auditing
- Windows Server Auditing
- Employee Tracking
- Workstations Auditing
- Compliance Auditing
- Other features
- SIEM Integration
- Windows DNS - Schema Auditing
- Windows security event log monitoring
- SIEM audit solution
- Schedule Active Directory change reports
- Reports from Archived Data
- Aggregated summary reports
- AD new/old attribute changes
- Audit trail
- Audit Active Directory LAPS
- Scheduled Reports & Alerts
- Account lockout examiner
- Industry
- Documents
- Success Stories
- Related Products
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- ADManager Plus Active Directory Management & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Identity security with MFA, SSO, and SSPR
- DataSecurity Plus File server auditing & data discovery
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- AD Free Tools Active Directory FREE Tools
A brief look at configuring Account Lockout Threshold policy
Written by Titus Manohar, IT security team, ManageEngine • Updated on May 2026
Hackers can automate brute force attacks to try thousands of password permutations for numerous user accounts. These attacks can be combated by limiting the failed attempts.
The Account lockout threshold policy setting helps you define the number of failed sign-in attempts that will lead to account lockout. Once locked, an account cannot be logged into until it is reset or until the duration specified by the Account lockout duration policy setting expires. Threshold policy values can be configured 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. When threshold policy value is configured to a number greater than zero, the Account lockout duration must be set to a value greater than or equal to the value of Reset Account Lockout counter
There is still a risk that a denial-of-service (DoS) attack could be launched on a domain that has an account lockout threshold configured. A malicious user could program a batch of password attacks against users in an organization. When the number of attempts exceeds the value of Account lockout threshold, the attacker could potentially lock every account.
A user's workstation can go into a lockout after multiple failed attempts, even if the Interactive logon: Require Domain Controller authentication to unlock workstation security option is disabled. After the account lockout duration, if you login with the same password then Windows doesn’t need to contact a domain controller for an unlock. But if you enter a different password, Windows has to contact a domain controller to verify if the password has been changed from another machine.
Account Lockout Threshold values
A user can configure threshold values between 0 and 999 or can leave the threshold value undefined.
Recommended configurations:
The threshold that you choose should balance operational efficiency and security, and it depends on the risk appetite of your organization. To account for user based error while using passwords, and to prevent brute force attacks, Microsoft recommends a value of 10 as optimal.
Best Practices for implementation:
- The odds of a DDoS attack or data theft depends on the security strategy you have created for your systems and environment. The account lockout threshold values should be set considering the known and perceived risk.
- Choose the Kerberos protocol when negotiating between encryption because it can automatically retry account sign-in attempts perform counts of the login attempts and compare it with the threshold policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
- Not all apps in an organizational environment are effective at managing how many times a user can attempt to sign-in. For instance, if there is a disconnect, all subsequent failed sign-in attempts count toward the account lockout threshold.
Combative measures against security loopholes:
As stated above, the policy does allow for DDoS attacks and it also presents a challenge to balance the blocking of brute force attacks and giving enough allowance for multiple password attempts for legitimate users.
Set the Account lockout threshold value to 0. This setting ensures that accounts will not be locked, and it will block DoS attack that attempts to lock users out of their accounts.
Configure the Account lockout threshold policy setting to a sufficiently high value to give users enough allowance for mistyping passwords several times before the account is locked. Ensure that password attacks can't take place with trial and error methods by locking the account.
About ADAudit Plus
ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:
- Authorized and unauthorized AD management changes
- User logons, logoffs, and account lockouts
- GPO changes
- Group attribute and membership changes
- OU changes
- Privileged access and permission changes
- Azure AD logons, and changes to roles, groups, and applications
- PowerShell scripts and modules
among other things.
There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics.