This post explains how to configure Windows Active Directory to limit unsuccessful logon attempts in support of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.8, providing step-by-step Group Policy and PowerShell instructions, configuration recommendations, operational considerations for small businesses, and compliance documentation tips.
Overview of the Requirement and Why It Matters
Control AC.L2-3.1.8 requires organizations to limit the number of unsuccessful logon attempts to reduce the risk of brute-force and credential-stuffing attacks against accounts that access Controlled Unclassified Information (CUI). The control does not mandate specific numeric values, so you must select and document settings that balance security and availability, justify them in your System Security Plan (SSP), and demonstrate monitoring and response capabilities as part of your Compliance Framework implementation.
Implementation in Active Directory — High Level
In a traditional on-premises Windows AD environment, account lockout behavior is controlled by the domain password policy settings stored in the Default Domain Policy or another domain-linked GPO. The three key settings are: Account lockout threshold (number of invalid attempts), Account lockout duration (how long the account stays locked), and Reset account lockout counter after (window for counting bad attempts). Configure these at the domain level so they apply to all domain accounts unless you use Fine-Grained Password Policies (FGPP) to apply different settings to specific groups.
Step-by-step: Configure via Group Policy (GPMC)
Practical steps: open Group Policy Management Console (gpmc.msc), edit the Default Domain Policy (or create a dedicated domain policy and link it to the domain), then navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy. Recommended starting values for small organizations: Account lockout threshold = 5 invalid attempts; Account lockout duration = 15 minutes; Reset account lockout counter after = 15 minutes. After applying, run gpupdate /force on a client or wait for replication; verify with the Local Security Policy snap-in on a client and by checking the domain controller Event Viewer. Document the rationale for the chosen values in your SSP and control implementation narrative for CMMC audits.
PowerShell and Fine-Grained Password Policies (FGPP)
If you prefer scripting or need automation, use the ActiveDirectory module: Import-Module ActiveDirectory; then Set-ADDefaultDomainPasswordPolicy -Identity "contoso.local" -LockoutThreshold 5 -LockoutDuration (New-TimeSpan -Minutes 15) -LockoutObservationWindow (New-TimeSpan -Minutes 15). For service accounts or privileged accounts that require different treatment, use FGPPs (Password Settings Objects) in the Active Directory Administrative Center or New-ADFineGrainedPasswordPolicy to apply alternative lockout thresholds to specific security groups. Never set highly privileged accounts to an aggressive lockout that could be abused to create a denial-of-service; instead, consider longer thresholds, managed service accounts, or excluding non-interactive service accounts from interactive lockout count where appropriate and justified.
Monitoring, Logging and Response
Limiting attempts without monitoring defeats part of the purpose. Enable Advanced Audit Policy (Audit Logon/Logon Failure) and collect Event ID 4625 (failed logon) and 4740 (account locked out) from domain controllers. Route these to a SIEM or a centralized log repository and create alerts for patterns such as multiple locked accounts across many users or repeated lockouts from a single IP address. For small businesses without a SIEM, use scheduled scripts or lightweight log aggregation tools to email alerts to the administrator or to generate a weekly report. Keep lockout events retained per your retention policy for incident investigations and audits.
Real-world Small Business Scenario
Example: a 30-person engineering firm storing CUI on a domain-joined file server. Actionable plan: (1) Test settings in a staging OU with five test users; (2) Apply domain policy with threshold=5/duration=15/reset=15; (3) Implement MFA for VPN and remote RDP to reduce exposure; (4) Configure audit forwarding from two domain controllers to a lightweight collector like EventSentry or open-source ELK; (5) Document the policy and helpdesk procedure for unlocking accounts. After rollout, track lockout rates for two weeks and adjust threshold if accidental lockouts spike due to misconfigured sync clients or legacy devices.
Risks of Not Implementing and Operational Considerations
Failing to limit unsuccessful logon attempts leaves accounts vulnerable to brute force and credential stuffing, enabling attackers to gain footholds, escalate privileges, and exfiltrate CUI — a direct compliance and business risk. Conversely, overly aggressive lockout settings can be abused to cause denial-of-service by intentionally locking out accounts. Mitigations include choosing conservative thresholds, enabling alerting for mass lockouts, using MFA (which greatly reduces the efficacy of brute-force attacks), and using FGPPs and managed service accounts to avoid operational disruptions.
Compliance Tips and Best Practices
Document settings and justification in your SSP and map them to AC.L2-3.1.8. Include the policy GPO name, PowerShell output, and test results as artifacts for assessors. Train helpdesk staff on verification procedures for unlocking accounts and require out-of-band verification for privileged account unlocks. Combine lockout controls with MFA, password complexity, and account monitoring. Regularly review locked-account alerts and maintain a POA&M entry if you must temporarily deviate from recommended settings, noting compensating controls and remediation timelines.
Implementing account lockout policies in Active Directory is a straightforward, high-impact control to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AC.L2-3.1.8. Use GPO or PowerShell to set and document reasonable thresholds (e.g., 5/15/15), test before broad rollout, monitor lockout events, apply FGPPs for exceptions, combine with MFA, and record everything in your compliance artifacts to demonstrate implementation and ongoing management.
