Banner

How can I ensure user accounts are locked out of OWA after multiple incorrect password attempts?

The Account lockout duration, Account lockout threshold and Reset account lockout counter after settings are configured in the Default Domain Policy.  These settings define what will happen if a user attempts to logon to the domain using the incorrect password multiple times.  Attempting to logon to OWA with an incorrect password will also increase the bad password count (badPwdCount), which will eventually lock a user out of the domain until it is reset.  

Important consideration: Attackers can also use this strategy to lock users out of the network as long as they obtain valid usernames. The default settings of these Default Domain attributes are as follows: 

 

Value DefaultRecommended
Account lockout durationSpecifies the number of minutes a locked out account will remain unavailable before a user can attempt to log back in
Note that such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake.

Windows Server 2008 – Not Defined 

Windows Server 2003 – Not Defined

Windows Server 2008  - 15 minutes 

Windows Server 2003 - 0

Account lockout threshold This setting determines the number of failed logon attempts before a lockout occurs.

Windows Server 2008 – 0

Windows Server 2003 - 0

Windows Server 2008 - 50 invalid logon attempts 

Windows Server 2003- 20 invalid logon attempts

Reset account lockout counter afterThis is the length of time before the Account lockout threshold setting resets to zero.

Windows Server 2008 – Not Defined 

Windows Server 2003 – Not Defined

Windows Server 2008  - 15 minutes 

Windows Server 2003 – 30 minutes

 

Use Ctrl+Shift+R to “Reply all” to the selected message.
 

Poll

Will tablet and Smart phone use be a big part of your OWA 2013 deployment?