The purpose of account locking is to make it more difficult for password guessing attacks to succeed. If the account lockout is not configured, a malicious user can automate a login attempt with different user accounts, trying common passwords and every possible combination of eight characters or less in a very short period of time, until one finally works. When account locking is configured, Windows locks the account after a certain number of failed login attempts and blocks further login attempts even if the correct password is provided.
Windows account locking can be configured with these three settings:
Account lockout threshold: the number of failed login attempts that trigger the account lockout. If set to 0, account locking is disabled and accounts are never locked.
Account Lock Duration: The number of minutes an account remains locked before it is automatically unlocked. If set to 0, the account remains locked until an administrator explicitly unlocks it.
Reset Account Lock Counter After: The number of minutes after a failed login attempt before the wrong login counter is reset to 0. The counter is also reset after a successful login. Brute-force attacks on passwords can be automated to try thousands or even millions of password combinations for one or all user accounts. Limiting the number of unsuccessful logins that can be executed almost completely eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain where an account lockout threshold is configured. A malicious user could attempt a series of password attacks against all users in the organisation at the code level. If the number of attempts were greater than the value of the account lockout threshold, the attacker could potentially lock out all accounts.