Configure Account Lockout Policy in Windows Server 2022 Active Directory
Account Lockout Policy converts a brute-force password attack from 'eventually wins' into 'locks the account and stops'. Three knobs configured at the domain level via Default Domain Policy: lockout threshold (failed attempts before lock - default 0 = no protection, recommended 5), reset counter (minutes before failed-attempt counter resets - default 30), and lockout duration (minutes account stays locked - 0 = manual unlock only). Walks the full setup in Server 2022 GPMC + Windows 10 client: edit Default Domain Policy, set the three values, disable Administrator account lockout (recommended - protects break-glass), gpupdate /force, deliberately lock a test user (5 wrong passwords), then unlock via ADUC Account tab or Unlock-ADAccount PowerShell. Includes the domain-scope constraint (must live in Default Domain Policy, not OU-linked - this is one of the rare exceptions to the don't-edit-defaults rule), the SIEM event-ID reference (4625/4740/4767), and pointers to Fine-Grained Password Policy for per-user/per-OU differentiation.