|
Measures reported by ADUserLockOutTest
Account lockout is a feature of password security that disables a user account when a certain number of failed logons occur due to wrong passwords within a certain interval of time. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password.
Other ways accounts can get locked out include:
- Applications using cached credentials that are stale.
- Stale service account passwords cached by the Service Control Manager (SCM).
- Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
- Scheduled tasks and persistent drive mappings that have stale credentials.
- Disconnected Terminal Service sessions that use stale credentials.
- Failure of Active Directory replication between domain controllers.
- Users logging into two or more computers at once and changing their password on one of them.
Any one of the above situations can trigger an account lockout condition, and the results can include applications behaving unpredictably and services inexplicably failing.
This is why, whenever a user complaints of inability to login to his/her desktop, help desk should be able to instantly figure out whether that user's account has been locked out, and if so, why. The ADUserLockOutTest test provides answers to these questions. This test, at configured intervals, reports the count of locked user accounts and names the users who have been affected by this anomaly.
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Account_locked |
Indicates the number of account lockouts that occurred during the last measurement period. |
Number |
A very high value for this measure could indicate a malicious attack, and may require further investigation.
If the high lockout rate is not due to any such attacks, then it is recommended that you alter the lockout policy in your environment to minimize the count and consequently, the impact of account lockouts. Microsoft recommends the following policies for high, medium, and low security environments:
| Security Level |
Lockout Policy |
| Low |
Account Lockout Duration = Not Defined
Account Lockout Threshold = 0 (No lockout)
Reset account lockout counter after = Not Defined |
| Medium |
Account Lockout Duration =30 minutes
Account Lockout Threshold = 10 invalid logon attempts
Reset account lockout counter after = 30 minutes |
| High |
Account lockout duration = 0 (an administrator must unlock the account)
Account lockout threshold = 10 invalid logon attempts
Reset account lockout counter after = 30 minutes |
|
| Users_locked_out |
Indicates the number of distinct users who were locked out during the last measurement period. |
Number |
Use the detailed diagnosis of this measure to view the names of these users. |
| Users_locked_cur |
Indicates the number of users who are currently locked out. |
Number |
Use the detailed diagnosis of this measure to know which users are currently locked out. |
|