![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 41%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello Rob,
Thank you for posting question on Microsoft Windows Forum.
Based on the issue description, I would like to share my insight with you into this problem.
Well! When a user is at home and not connected to the corporate network, Windows uses cached credentials. It's a securely stored hash of the password from the last successful online logon. When the user enters their password, the computer compares it against this local cached hash. The computer has no communication with the Domain Controller. Therefore, it cannot tell the DC that a failed attempt occurred, and the badPwdCount in Active Directory is never incremented. The standard domain account lockout policy never kicks in. To solve this, I suggest using Group Policy setting designed to protect against brute-force attacks on cached credentials. It does not lock the user's AD account, but it locks the local machine, preventing any further logon attempts for a period of time.
The following are steps for your reference.
1.Open Group Policy Management Console (GPMC).
- On your DC, go to Start -> Windows Administrative Tools -> Group Policy Management
2.Create or Edit a GPO.
3.Edit the GPO.
4.Navigate to the Security Setting.
- In the Group Policy Management Editor, navigate to the following path
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
5.Configure the Lockout Policies.
- In the right-hand pane, find the following two settings:
- Interactive logon: Machine account lockout threshold
- Double-click this setting.
- Check the box for "Define this policy setting".
- Enter the number of invalid attempts you want to allow before the machine locks. The user requested 10, which is a reasonable number.
- Click OK.
6.Apply the GPO.
Please note: Implement the above steps in your testing environment first.
Alternatively, you can consider other modern approach like Windows Hello for Business which replaces password logons with strong, two-factor authentication using a PIN or biometrics (fingerprint, facial recognition). It is not susceptible to password brute-force attacks, either online or offline.
You can refer to following articles for more information.
- https://free.blessedness.top/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication
- https://free.blessedness.top/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-duration
Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.