Someone who tries to apply more than a few failed passwords while attempting to log on to your system might be an attacker who is trying to discover an account password. The Windows domain controllers keep record of login attempts, and domain controllers can be configured to react to this kind of possible attack by disabling the account for a configured period. Account Lockout Policy settings control the threshold for this reactivity and the steps to be practiced after the threshold is attained.
In this hands-on virtual lab, as a Windows Server Administrator you will learn how to configure a domain Account Lockout policy by using the Group Policy Management Console and Windows PowerShell to maintain Active Directory Domain Services(ADDS). A directory is a hierarchical composition that collects data about objects on the network. An Active Directory Domain Services (AD DS), gives the techniques for collecting directory data and making this data accessible to network users and administrators. For example, AD DS collects data about user accounts and allows other approved users on the same network to access this data.
The Group Policy Management Console (GPMC) consolidates Group Policy management over an enterprise. It is one user interface that allows you to utilize and manage Group Policy objects (GPOs) such as backup, restore, import, and copy Group Policy objects. In this lab, learners will learn how to effectively use the GPMC console and PowerShell. Other Guided Challenges in this series are:
- Manage Active Directory Groups
- Manage Active Directory Users
- Can You Create and Manage Active Directory Users and Groups?
- Manage Organizational Units
- Create and Manage Group Policy Objects
- Configure Group Policy Settings and Preferences
- Configure Group Policy Processing
- Can You Implement and Manage Group Policy?
Understand the Scenario
Windows Administrators, Systems Administrators are accountable for maintaining data security, configuring user access, and securing the balance of the system. In this virtual lab, you are a Windows Server administrator and your job is to maintain the Active Directory Domain Services (AD DS) environment. For executing this job, you will configure the response when a user infringes the Account Lockout Policy for the domain. First, the Account Lockout Policy will be configured by applying the Group Policy Management Console (GPMC), and then you will test the policy. Next, you will unlock the account that infringed the policy. Finally, learners will learn how to configure the Account Lockout Policy settings by utilizing Windows PowerShell. To carry out this entire operation, you will be using a Windows Server 2016 domain controller named DC01 and a member server named SVR1 in this hands-on lab.
Configure Account Lockout Policy settings by using the Group Policy Management Console
In the first step of this lab, you will sign in to DC1 as an Administrator using the given password. You will then learn how to configure the default Account lockout duration property for the domain to 15 minutes. Account Lockout Policy defines what happens when a user inserts a wrong password. It assures that an intruder can’t apply a brute force attack or dictionary attack to select and decipher the user’s password. This security setting limits the number of minutes a locked-out account will be locked-out before it gets unlocked. This value can be set between 0 minutes and 99,999 minutes. In this virtual lab, you will learn how to use and define the Group Policy Management Console (GPMC).
Check your work
In this step, you will test the Account Lockout Policy for the domain by trying to sign in to the member server SVR1 six times by using the correct username but an incorrect password. You will learn how to switch to domain controller DC1, and then unlock the account for the given username by using Active Directory Users and Computers. You will verify that the given user can sign in to the member server SVR1 by using the given password. You will then again switch to the domain controller DC1, and then modify the Account lockout term setting for the domain to 2 minutes. Finally, you will switch to member server SVR1 and again check the login attempt. In other words, you will learn how to check and confirm that you configured the Account Lockout Policy for the domain controller server. After this, you will check that you configured accounts to be locked when the account lockout threshold is infringed. In the final step, you will learn how to test the Account Lockout Policy for the domain as the given user.
Configure the Account Lockout Policy by using Windows PowerShell
Windows PowerShell is a Windows command-line shell created particularly for system/windows administrators. Windows PowerShell contains an interactive prompt for scripting. In this step, you will learn how to switch to domain controller server DC1 using the given login credentials. You will display the domain Account Lockout Policy settings by using the cmdlet of Windows PowerShell. This will be done by running a particular command. You will set the account lockout duration for the domain controller server to 5 minutes, and then configure the account lockout threshold to 4 by using the cmdlet. Finally, you will test the Account Lockout Policy for the domain by trying to sign in to the member server five times by using an incorrect password. This entire step is done in the PowerShell.
Check your work
This is the final step of the virtual lab. Here, you will check and confirm that you set the account lockout duration and that you have configured the account lockout threshold for the domain. You will also confirm that you tested the Account Lockout Policy for the domain. Finally, you will learn how to check that you unlocked the user account by using Windows PowerShell.The lockout time must be greater than or equal to the lockout detection period for a password policy. If you set the account lockout duration to zero, the account will be locked out until an administrator explicitly unlocks it. These are extremely important steps and you will learn how to accomplish this task by using Windows PowerShell.
Lab Summary Conclusion
After completing the “Configure Account Lockout Policy Settings” virtual lab, you will have accomplished the following:
- Configured the Account Lockout Policy settings by using GPMC.
- Configured the Account Lockout Policy settings by using Windows PowerShell.
- Tested the Account Lockout Policy for the domain.
- Unlocked a user account by using Active Directory Users and Computers.
- Unlocked a user account by using Windows PowerShell.