Account lockout duration (Windows)

Module: Login Parameters

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports a problem if the account lockout time setting is less than the time that is specified in your policy. Set the policy value to zero if accounts should be locked out until they are reset by the administrator.

The following table lists the error messages for the check.

Table: Error messages for Account lockout duration

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_ACCOUNT_LOCKOUT_DISABLED

Category: Policy Compliance

  • Windows 2000 (105234)

  • Windows 2003 (205234)

  • Windows 2008 (248234)

  • Windows Vista (228234)

  • Windows XP (200234)

Title: Account lockout is disabled

Description:The account lockout function is disabled. Accounts will not be locked out after any number of bad logon attempts and are vunerable to brute force logon attacks.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_LOCKOUT_TIME_TOO_LOW

Category: Policy Compliance

  • Windows 2000 (105232)

  • Windows 2003 (205232)

  • Windows 2008 (248232)

  • Windows Vista (228232)

  • Windows XP (200232)

Title: Lockout time too short

Description:The time an account will remain locked out is shorter than the time specified in your policy. Logon attempts to a locked out account may resume too soon. This increases the chances of a successful brute force logon attack.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Lockout time: %s; expected: %s]