I am trying clarify some of specific settings within a domain password policy (settings report was produced based on Get-ADDefaultDomainPasswordPolicy). For info - there are no additional fine grained password policies in operation which may supersede the default policy. The lockout threshold setting is currently set to 5, but confusingly the lockout duration is currently set to 0 which I assumed meant there is no real time based lock in place to protect accounts from password guessing/brute force attacks.... unless the setting of 0 means a Microsoft default time value will apply, e.g. 15 minutes? Is there any logical reason you can think of why you would set lockout duration to 0 if you have purposely set a lockout threshold to 5, i.e. is there anything else that may be in operation which supersedes/removes the need for applying an appropriate value for the duration setting?
Secondly, the lockout observation window has a really strange value of 69:10:39:00 - what does this represent in terms of minutes, or timeframes hh:mm, how can we convert it into something meaningful? And does this parameter have any impact (e.g. supersede) on the lack of a value in the lockout duration parameter?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 76%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 43%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)