Active Directory Account Lockout Simulation and Resolution

Overview

This lab demonstrates how to resolve an account lockout scenario using Active Directory Domain Services in a Windows Server environment. By configuring Group Policy settings and using a Windows 10 Client VM, I tested how failed login attempts trigger account lockouts and how to respond to and resolve them as an administrator.

Skills Demonstrated
Configuring Account Lockout Policy via Group Policy
Managing Active Directory Users and unlocking accounts
Performing domain join operations on client systems
Verifying domain membership with whoami and %userdnsdomain%
Simulating user login failures and lockout scenarios
Analyzing security logs (Event ID 4740) to diagnose account lockouts
Setting up network connectivity and DNS resolution between systems
Enforcing password change on next login for user accounts
Tools Used
Windows Server (Active Directory)
Windows 10
Group Policy Management Console (gpmc.msc)
Active Directory Users and Computers (dsa.msc)
Event Viewer (eventvwr.msc)
Network and Sharing Center
Command Prompt (whoami, ping, echo)

1. Environment Setup

  • Installed a Windows Server VM
  • Created a local Administrator account
  • Installed Active Directory Domain Services (AD DS)
  • Promoted the server to a Domain Controller with the domain name: lab.local

2. User Creation

  • In Active Directory Users and Computers, I created a test user:
    • Name: John Doe
    • Logon Name: j.doe
      This user will be used to simulate failed login attempts.

3. Configure Account Lockout Policy

  • Opened Group Policy Management (gpmc.msc)
  • Navigated to:
    Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy
  • Configured the following settings:
    • Account lockout threshold: 5 invalid attempts
    • Account lockout duration: 15 minutes
    • Reset account lockout counter after: 15 minutes

4. Network Configuration

  • Configured the Windows Server and Windows 10 Client VM to be on the same network
  • Verified connectivity by pinging the Server’s IP from the Client
  • Set the Client's preferred DNS to the Server’s IP via Control Panel > Network and Sharing Center
  • Verified internet access by pinging google.com

5. Join Domain

  • On the Windows 10 Client, I joined the domain lab.local
  • After restarting and logging in, I confirmed domain membership using:
whoami
echo %userdnsdomain%

6. Simulate Account Lockout

  • On the Windows 10 Client, I attempted 5 incorrect passwords when logging in as j.doe
  • The account was successfully locked out

7. Monitor Security Logs

  • On the Domain Controller, I opened Event Viewer (eventvwr.msc)
  • Navigated to: Windows Logs > Security
  • Located Event ID 4740 indicating the account was locked out

8. Unlock Account

  • Returned to Active Directory Users and Computers
  • Located j.doe > Unlock Account
  • Also selected "User must change password at next logon"

9. Password Reset and Final Login

  • On next login, the Client was prompted to change the password
  • After a successful password change, John Doe was able to log in again