'LockoutThreshold' is actually implemented by Windows as LockoutBadCount. What shows up in an Account Lockout Policy is Account Lockout Threshold but what gets written to disk when you change it is LockoutBadCount. That item is available in the list of existing policy objects. I updated the code to add AuditPolicyChange; that was mssing. I also added ResetLockoutCount which pairs with the Lockout Threshold so users aren't permanently locked out. The last item, LockoutObservationWindow, does not appear in a Security Policy as exported by secedit but you can get to it via PowerShell. It is part of a customized fine grain password policy. Read more here: http://woshub.com/fine-grained-password-policy-in-windows-server-2012-r2/

Signed-off-by: John McCrae <jmccrae@chef.io>

1 files changed, 2 insertions, 0 deletions

diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb
index 1b0a285197..c2de8c615d 100644
--- a/lib/chef/resource/windows_security_policy.rb
+++ b/lib/chef/resource/windows_security_policy.rb
@@ -35,6 +35,8 @@ class Chef
                         PasswordHistorySize
                         LockoutBadCount
                         ResetLockoutCount
+                        AuditPolicyChange
+                        LockoutDuration
                         RequireLogonToChangePassword
                         ForceLogoffWhenHourExpire
                         NewAdministratorName