Comments (3)

  1. Nick says:

    So in a dos attack, how does one prevent the admin account from being locked out, thus allowing access to unlock other locked accounts?

  2. Bas says:

    @Nick: You should have at least one, but in practice multiple, admin (and helpdesk) accounts exempt from the lockout policy. These should have much stronger passwords, especially passwords that are not predictable and guessable. You can please almost any
    password policy with a password like "Company2015/05", which is easily updated every 42 days when the policy demands it. Users exempt from the lockout policy should be trained to avoid such password complexity pitfalls. You should configure an alert when you
    start logging excessive failed password attempts for any such account. Note that often non-managed service accounts also fall into this category.

  3. E says:

    If an Admin account’s lockout duration is set to Never, but the lockout observation is set to 1 hour the account is never locked out right?