# Active Directory - How to Test Password and Account Lockout Policies

Setting up proper password and account lockout policies is a key part of hardening an Active Directory (AD) environment. In this hands-on guide, we’ll walk through how to configure these policies using Group Policy and then test them with a real user account.

## Prerequisites

Before you begin, make sure you have the following:

* A Windows Server domain controller (e.g., mcnairtech.local)
    
* Active Directory and DHCP roles already installed
    
* A domain-joined client workstation for testing
    

### Step 1: Configure Password and Lockout Policies

1. Open **Group Policy Management Console** (`gpmc.msc`)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749418470207/e6b62905-336d-438a-ad17-fa4dcdd9976e.png align="center")
    
2. Right-click your domain (`mcnairtech.local`) and choose **Create a GPO in this domain and link it here**. Name it something like:
    
    > Domain Password Policy
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749419020637/09db4930-fdc6-4fd2-a1d5-9ad779275ec6.png align="center")
    
3. Right-click the new GPO and select **Edit**
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749419502550/5fe10ce4-4b65-4aeb-92e3-c19968eb5045.png align="center")

1. Navigate to:
    
    > Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies
    

Under **Password Policy**, set:

* Minimum password length: 12 characters
    
* Password must meet complexity requirements: Enabled
    
* Enforce password history: 24 passwords remembered
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749419304107/0c5d5f2e-db36-4125-b332-6b0eecda8ed1.png align="center")

Under **Account Lockout Policy**, set:

* Account lockout threshold: 5 invalid logon attempts
    
* Account lockout duration: 15 minutes
    
* Reset account lockout counter after: 15 minutes
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749419704235/b7e882f3-0630-4be2-a34a-4fd4c2959a0d.png align="center")

5. Close the editor. Ensure the GPO is **linked** to the domain root.
    

---

### Step 2: Force the Policy to Apply

Group Policy refreshes on a schedule, but you can apply it immediately:

1. Open **Command Prompt as Administrator**
    
2. Run: gpupdate /force
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749419856791/3a17d9c5-5273-4516-a7ff-a7e901257f6d.png align="center")

1. Restart your domain controller to ensure all settings apply
    

If you have a domain-joined client, restart that too.

---

### Step 3: Create a Test User

1. Open **Active Directory Users and Computers** (`dsa.msc`)
    
2. Right-click the `Users` container or a test OU, then choose **New &gt; User**
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420054451/78e39052-7c2f-47ef-8566-81330f2784a2.png align="center")

1. Create a user:
    
    * Full name: Test User
        
    * Username: testuser
        
    * Password: Try a weak one like `pass123` (it should be rejected)
        
    * Use a valid password like `McnairTech!2024` to proceed
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420203720/6966ecac-38e0-414f-b582-8d4f46a849d3.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420265805/f8429a05-5e29-42a0-b9e2-64a49766ecf9.png align="center")

### Step 4: Test the Account Lockout Policy

1. On a domain-joined PC or the domain controller:
    
2. Try logging in as `testuser` with the **wrong password** 5 times
    
3. You should see a message:
    
    > "The referenced account is currently locked out and may not be logged on to."
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420514253/8fbdd830-3663-4555-9d72-88001e7f5eda.png align="center")
    
    ### Step 5: Verify the Lockout in Active Directory
    
    1. Open **Active Directory Users and Computers**
        
    2. Right-click the `testuser` account &gt; **Properties** &gt; **Account** tab
        
    3. You should see the checkbox for **"Unlock account"** unchecked
        
    
    To unlock it manually:
    
    * check the box and click OK
        
    * Or wait for the configured lockout duration to expire
        
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420656244/a8b940d6-7d27-4146-9e3b-e46712539ef1.png align="center")
    
    ### Optional: Verify Policy with GPResult
    
    To confirm the policy applied successfully:
    
    Run:
    
    ```plaintext
    gpresult /h report.html
    ```
    
    Open `report.html` in a browser and scroll to **Computer Settings** &gt; **Account Policies**.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749420862588/4a47f2cf-67f7-449a-b38a-3f6efc61e86e.png align="center")
    
    ### Conclusion
    
    With these steps, you’ve enforced and verified password complexity, length, and account lockout policies using Group Policy in Active Directory. This foundational task is essential in any secure Windows domain.
    
    Stay tuned for more AD and GPO hands-on guides!
