JSI Tip 8704. How do I set account lockout policies in Windows 2000 using ADSI Edit?

Account lockout policies can be set for domain accounts, or local user accounts, to help secure your network if a designated number of failed logon attempts occur within a designated time frame. When an account is locked out, the user cannot log on until the lockout period expires.

NOTE: In Windows NT 4.0, you can use the Passprop.exe utility from the Windows NT 4.0 Server Resource Kit.

NOTE: If you haven't installed the ADSI Edit snap-in, see How do I install the Windows 2000 Support Tools to a Windows 2000 Server?

To set the account lockout policy using ADSI Edit:

1. Open ADSI Edit (Start / Run / ADSIEdit.msc / OK).

2. Expand Domain [.].

3. Right-click DC=,DC= and press Properties.

4. In the Attribute list, select pwdProperties.

5. If required, press Edit.

6. Type one of the following Values:

0  Passwords can be simple, and the administrator account cannot be locked out.  1  Passwords must be complex, and the administrator account cannot be locked out. 8  Passwords can be simple, and the administrator account can be locked out.  9  Passwords must be complex, and the administrator account can be locked out.

7. If a Set button exists, press Set, press Apply, press OK. If no Set button exists, press OK and press Apply.

8. Quit the ADSI Edit snap-in.