Active Directory - How to Test Password and Account Lockout Policies

JMcNairTechJMcNairTech
3 min read

Setting up proper password and account lockout policies is a key part of hardening an Active Directory (AD) environment. In this hands-on guide, we’ll walk through how to configure these policies using Group Policy and then test them with a real user account.

Prerequisites

Before you begin, make sure you have the following:

  • A Windows Server domain controller (e.g., mcnairtech.local)

  • Active Directory and DHCP roles already installed

  • A domain-joined client workstation for testing

Step 1: Configure Password and Lockout Policies

  1. Open Group Policy Management Console (gpmc.msc)

  2. Right-click your domain (mcnairtech.local) and choose Create a GPO in this domain and link it here. Name it something like:

    Domain Password Policy

  3. Right-click the new GPO and select Edit

  1. Navigate to:

    Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies

Under Password Policy, set:

  • Minimum password length: 12 characters

  • Password must meet complexity requirements: Enabled

  • Enforce password history: 24 passwords remembered

Under Account Lockout Policy, set:

  • Account lockout threshold: 5 invalid logon attempts

  • Account lockout duration: 15 minutes

  • Reset account lockout counter after: 15 minutes

  1. Close the editor. Ensure the GPO is linked to the domain root.

Step 2: Force the Policy to Apply

Group Policy refreshes on a schedule, but you can apply it immediately:

  1. Open Command Prompt as Administrator

  2. Run: gpupdate /force

  1. Restart your domain controller to ensure all settings apply

If you have a domain-joined client, restart that too.

Step 3: Create a Test User

  1. Open Active Directory Users and Computers (dsa.msc)

  2. Right-click the Users container or a test OU, then choose New > User

  1. Create a user:

    • Full name: Test User

    • Username: testuser

    • Password: Try a weak one like pass123 (it should be rejected)

    • Use a valid password like McnairTech!2024 to proceed

Step 4: Test the Account Lockout Policy

  1. On a domain-joined PC or the domain controller:

  2. Try logging in as testuser with the wrong password 5 times

  3. You should see a message:

    "The referenced account is currently locked out and may not be logged on to."

    Step 5: Verify the Lockout in Active Directory

    1. Open Active Directory Users and Computers

    2. Right-click the testuser account > Properties > Account tab

    3. You should see the checkbox for "Unlock account" unchecked

To unlock it manually:

  • check the box and click OK

  • Or wait for the configured lockout duration to expire

Optional: Verify Policy with GPResult

To confirm the policy applied successfully:

Run:

    gpresult /h report.html

Open report.html in a browser and scroll to Computer Settings > Account Policies.

Conclusion

With these steps, you’ve enforced and verified password complexity, length, and account lockout policies using Group Policy in Active Directory. This foundational task is essential in any secure Windows domain.

Stay tuned for more AD and GPO hands-on guides!

1
Subscribe to my newsletter

Read articles from JMcNairTech directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Active Directorywindows serverGroup PolicysysadminHomelabITLabs

Written by

JMcNairTech
JMcNairTech