During a security review, a systems administrator must configure the Account Lockout Policy on Windows Server 2019 file servers that are joined to Active Directory. The requirement is to lock a user account after exactly five consecutive failed logon attempts, automatically unlock it after 15 minutes, and reset the failed-attempt counter at the same time. Which of the following combinations of Group Policy settings meets these requirements while minimizing help-desk involvement?
The setting combination that uses a lockout threshold of 5 invalid attempts, a lockout duration of 15 minutes, and a reset-counter value of 15 minutes satisfies every part of the requirement. A lockout duration of 15 minutes unlocks the account automatically, fulfilling the core requirement and minimizing help-desk calls. Matching the 'Reset account lockout counter after' value to the duration ensures that the bad logon attempt counter is cleared when the account is unlocked, preventing an immediate re-lockout upon the next logon attempt. In contrast, setting the lockout duration to 0 would require an administrator to manually unlock the account. Setting the lockout threshold to 0 would disable the lockout policy entirely. The 'Reset account lockout counter after' setting does not accept a value of 0; a value must be specified that is less than or equal to the lockout duration.