From 4e18d977eb7ca0b21514cbe00b956fee54e9ecc4 Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Wed, 18 Mar 2020 07:44:08 -0700
Subject: [PATCH 1/2] Uses correct zero value for lgpo LockoutDuration

Fixes #56406
---
 salt/modules/win_lgpo.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/salt/modules/win_lgpo.py b/salt/modules/win_lgpo.py
index 254c59ffe1e0..455bb2763cbf 100644
--- a/salt/modules/win_lgpo.py
+++ b/salt/modules/win_lgpo.py
@@ -2615,12 +2615,18 @@ def __init__(self):
                         "lgpo_section": self.account_lockout_policy_gpedit_path,
                         "Settings": {
                             "Function": "_in_range_inclusive",
-                            "Args": {"min": 0, "max": 6000000},
+                            "Args": {
+                                "min": 0,
+                                "max": 6000000,
+                                "zero_value": 0xFFFFFFFF,
+                            },
                         },
                         "NetUserModal": {"Modal": 3, "Option": "lockout_duration"},
                         "Transform": {
                             "Get": "_seconds_to_minutes",
                             "Put": "_minutes_to_seconds",
+                            "GetArgs": {"zero_value": 0xFFFFFFFF},
+                            "PutArgs": {"zero_value": 0xFFFFFFFF},
                         },
                     },
                     "LockoutThreshold": {
@@ -4252,7 +4258,10 @@ def _seconds_to_minutes(cls, val, **kwargs):
         """
         converts a number of seconds to minutes
         """
+        zero_value = kwargs.get("zero_value", 0)
         if val is not None:
+            if val == zero_value:
+                return 0
             return val / 60
         else:
             return "Not Defined"
@@ -4262,7 +4271,10 @@ def _minutes_to_seconds(cls, val, **kwargs):
         """
         converts number of minutes to seconds
         """
+        zero_value = kwargs.get("zero_value", 0)
         if val is not None:
+            if val == 0:
+                return zero_value
             return val * 60
         else:
             return "Not Defined"

From 8f79096601491b5b835c22476d7f44275ccb3fe0 Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Wed, 18 Mar 2020 08:33:13 -0700
Subject: [PATCH 2/2] Tests validity of LockoutDuration zero value

---
 tests/integration/modules/test_win_lgpo.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tests/integration/modules/test_win_lgpo.py b/tests/integration/modules/test_win_lgpo.py
index 162593463ac6..bd425cd3f8a2 100644
--- a/tests/integration/modules/test_win_lgpo.py
+++ b/tests/integration/modules/test_win_lgpo.py
@@ -559,6 +559,27 @@ def test_set_computer_policy_ClipboardRedirection(self):
             ],
         )
 
+    @destructiveTest
+    def test_set_computer_policy_LockoutDuration(self):
+        """
+        Test setting LockoutDuration
+        """
+        # For LockoutDuration to be meaningful, first configure
+        # LockoutThreshold
+        self._testSeceditPolicy("LockoutThreshold", 3, [r"^LockoutBadCount = 3"])
+
+        # Next set the LockoutDuration non-zero value, as this is required
+        # before setting LockoutWindow
+        self._testSeceditPolicy("LockoutDuration", 60, [r"^LockoutDuration = 60"])
+
+        # Now set LockoutWindow to a valid value <= LockoutDuration. If this
+        # is not set, then the LockoutDuration zero value is ignored by the
+        # Windows API (leading to a false sense of accomplishment)
+        self._testSeceditPolicy("LockoutWindow", 60, [r"^ResetLockoutCount = 60"])
+
+        # set LockoutDuration zero value, the secedit zero value is -1
+        self._testSeceditPolicy("LockoutDuration", 0, [r"^LockoutDuration = -1"])
+
     @destructiveTest
     def test_set_computer_policy_GuestAccountStatus(self):
         """