When the ActiveDirectoryMembershipProvider.EnablePasswordReset property is true, the user must answer the password question to reset his or her password. The user is allowed a limited number of answer attempts within the time window established by the ActiveDirectoryMembershipProvider.PasswordAttemptWindow property. If the number of password answer attempts is greater than or equal to the value stored in the ActiveDirectoryMembershipProvider.MaxInvalidPasswordAttempts property, the user is locked out of further attempts for the number of minutes stored in the ActiveDirectoryMembershipProvider.PasswordAnswerAttemptLockoutDuration property.

The ActiveDirectoryMembershipProvider.MaxInvalidPasswordAttempts property is set in your application's configuration file using the maxInvalidPasswordAttempts attribute of the membership element. If the property is not set in the application's configuration file, the ActiveDirectoryMembershipProvider.MaxInvalidPasswordAttempts property is set to the default value of 5.