Information Technology Reference
In-Depth Information
The password policies set on the computer trey-win81-21, a member of the Win81 OU, are
a combination of the Default Domain Policy (where the policy is Not Defined in the Win81
Password Policy) and the policies of the Win81 Password Policy (where they were Enabled).
Coniguring account lockout settings
You configure the default account lockout settings as part of the Default Domain Policy. The
domain account lockout policy applies to all users in the domain except where specific PSOs
have been assigned. You can set the Default Domain Account Lockout Policy by using the
GPMC or the Set-ADDefaultDomainPasswordPolicy cmdlet.
To set the Default Domain Password Policy by using GPMC, follow these steps:
1. Open the GPMC and select Default Domain Policy in the Group Policy Objects
container for the domain.
Click the Settings tab to see the current settings.
2.
Right-click the Default Domain Policy and select Edit from the menu to open the
Group Policy Management Editor.
3.
4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\
Account Policies\Account Lockout Policy. The three policies are these:
Account Lockout Duration
Sets the duration of lockout before an account
automatically unlocks.
Account Lockout Threshold Configures the number of failed logon attempts
before the account is locked. When set to 0, the account will never be locked out.
Reset Lockout Counter The time before the failed account logon counter is reset
to 0. Must be set to less than or equal to the account lockout duration.
To set the Default Domain Account Lockout Policy by using Windows PowerShell, use
the Set-ADDefaultDomainPasswordPolicy cmdlet. For example, to set the Default Domain
Account Lockout Policy to a threshold of 10 failed logon attempts to lockout accounts, use
this command:
Get-ADDefaultDomainPasswordPolicy `
| Set-ADDefaultDomainPasswordPolicy -LockoutThreshold 10
You can also set fine-grained account lockout policies as part of creating and applying
PSOs.
Coniguring Kerberos policy settings
The default Kerberos policy settings are set as part of the Default Domain Policy. There are
five Kerberos policy settings:
Enforce User Logon Restrictions When enabled, the Kerberos V5 Key Distribution
Center (KDC) validates every session ticket request against the user rights policy. The
default value is Enabled.
 
 
 
Previous Page
Next Page
Administering Windows Server 2012 R2
Search WWH ::




Custom Search
Home