A much needed feature was added in Service Pack 2 for Forefront TMG 2010. This great new feature gives you the ability to lock accounts on TMG at the local level before accounts are actually locked out in the domain. The account lockout feature, when used properly, will prevent TMG from trying to authenticate a user to a Domain Controller after the defined number of bad passwords has been attempted.

In one of my previous blogs I talked about scenarios where TMG is being used as a reverse proxy and the Account Lockout Threshold has been set in the AD domain. Often times, when companies require their users to change passwords at a given interval, devices will end up with a bad password stored on them. Devices may use the old password for Exchange ActiveSync over and over again until the domain account has been locked out. This can cause a lot of frustration for IT departments that are trying to track down the source of the lockouts and also having to frequently unlock accounts.

To enable this new feature, install SP2 which you can get here. The details for the new lockout feature can be found here.

The new feature, however, is not automatically enabled after installing the Service Pack and cannot be modified using the TMG GUI. The account lockout feature can only be modified through the Forefront TMG Com Object Model. Fortunately for us there are examples available out there on how to do this using PowerShell. One such example has been provided to us by Jan Egil Ring in the Microsoft Script Center and it is located here.

There are a couple of important things to keep in mind when using this feature:

--> Please see the rest on the blog : http://blogs.technet.com/b/isablog/archive/2012/11/01/using-the-account-lockout-feature-in-tmg-2010.aspx