Active Directory Concepts

Local Security Settings

Account Policies

Password Policy

1. Enforce Password History
To remember passwords so that user cannot use the same
password while resetting or changing.
Default
24 - Domain Controller
0 - Stand Alone Servers
2. Maximum Password Age
No. Of Days after which the password expires.
0 - Never Expires
3. Minimum Password Age
Min No. Of Days after which a password can be
changed.
>0 - To enforce Password History.
4. Minimum Password Length
length of the password
Default
7 - Domain Controller
0 - Stand Alone Server
5. Password Complexity
Enabled/Disabled
6. Store passwords using reversible encryption
Enabled/Disabled

Account LockOut Policy

1. Account Lockout Threshold
No. Of failed logon attempts that causes a user
account to be locked out.
0 - Account Never Locks out.
2. Account Lockout Duration
No. Of minutes a locked out account will remain
locked out before getting unlocked.
0 - Admin must unlock
>0 - Must be Greater than reset time.
3. Reset Account Lockout
No. of minutes that must elapse after a failed
logon attempt before the counter is reset to zero.
If account lockout threshold is specified, reset time
must be less than or equal to account lockout
duration.

Start -- Run -- Cmd

1. net accounts
2. net accounts \lockoutthreshold:0
3. net accounts \lockoutduration:1
4. net accounts \lockoutwindow:0

if \lockoutthreshold:6 then

1. net accounts \lockoutthreshold:6
2. net accounts \lockoutduration:1
3. net accounts \lockoutwindow:1

It says, in one min if we get six invalid attempts
the account will be locked out for one min.
The way we read this is 3....1....2