One-Liner: Change Account Lockout Threshold

What's the optimal Account Lockout Threshold value? A question that continues to generate a lot of debate!

If an account lockout threshold is set, the latest guidance, issued with Windows Server 2012 R2, suggests a value of 10. Visit this post for more information:

Configuring Account Lockout


After the new guidance was released, I wanted to quickly and efficiently update some of my labs with the new setting. Here's the one-liner I used:

Set-ADObject -Identity (Get-ADRootDSE).defaultNamingContext -Server $((Get-ADDomainController -Discover -Service PrimaryDC).HostName) -Replace @{lockoutThreshold = 10}


We use Get-ADRootDSE to identify the Default Naming Context, i.e. the Distinguished Name of the current domain. Our Account Lockout Policy is stored as attributes on the Domain Naming Context object, which is also known as the domain head. It's this object that we pass to the -Identity parameter.

We then obtain an object for the PDCe* using the -Discover (DCLocator) parameter of Get-ADDomainController and pass the hostname of the PDCe object to the -Server parameter.

Finally, the lockoutThreshold attribute of the domain head is updated using a hash table and the -Replace parameter.

*NB: the PDCe is responsible for updating the Default Domain Policy Group Policy Object (via its well-know GUID) with any changes made to the attributes on the domain head. The converse is also true, i.e. the PDCe is responsible for updating the domain head with any changes made to the Default Domain Policy.

Comments (1)

  1. Me says:

    cool stuff

Skip to main content