Accounts Change Account Lockout Duration in Windows 11


  • Staff
Account_lockout_banner.png

This tutorial will show you how to change the Account lockout duration in Windows 11 or Windows 10.

Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached.

The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. An administrator can also manually unlock a locked-out account.

The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.

The Allow Administrator account lockout policy determines whether the built-in Administrator account is subject to account lockout policy.

Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.

References:

Starting with Windows 11 build 22528 and higher, the Account lockout threshold policy is now set to 10 failed sign-in attempts by default. The Account lockout duration is now set to 10 minutes by default. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default.


You must be signed in as an administrator to change the Account lockout duration.



Contents

  • Option One: Change Account Lockout Duration in Local Security Policy
  • Option Two: Change Account Lockout Duration in Windows Terminal




Option One

Change Account Lockout Duration in Local Security Policy


Local Security Policy is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to set the same policy.


1 Open Local Security Policy (secpol.msc).

2 Double click/tap on Account Policies in the left pane to expand, and click/tap on Account Lockout Policy to open it. (see screenshot below)

Account_lockout_duration-1.png

3 In the right pane of Account Lockout Policy, double click/tap on the Account lockout duration policy to open its properties. (see screenshot above)

4 Type in a number between 0 and 99999 minutes you want for how long an account is locked out before automatically unlocked, and click/tap on OK. (see screenshot below)

The Account lockout threshold policy must be enabled to be able to change the Account lockout duration policy.

Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

0 = Account stays locked out until an administrator unlocks it.

10 is the default.


Account_lockout_duration-2.png

5 If Account lockout duration is set lower than Reset account lockout counter after, then review the suggested values under Suggested Setting that will be set for Reset account lockout counter after, and click/tap on OK to confirm. (see screenshot below)

Account_lockout_duration-3.png

6 If you like, you can change the Account lockout threshold, Allow Administrator account lockout, and Reset account lockout counter after policies.

7 When finished, you can close the Local Security Policy window if you like.




Option Two

Change Account Lockout Duration in Windows Terminal


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Copy and paste the net accounts command into Windows Terminal (Admin), and press Enter to see the current Lockout duration (minutes) policy setting. (see screenshot below)

Account_lockout_duration_command-1.png

3 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)

net accounts /lockoutduration:<number>

Substitute <number> in the command above with a number between 0 and 99999 minutes you want for how long an account is locked out before automatically unlocked.

The Account lockout threshold policy must be enabled to be able to change the Account lockout duration policy.

Lockout duration (minutes) must be greater than or equal to the value of Lockout observation window (minutes).

0 = Account stays locked out until an administrator unlocks it.

10 is the default.

For example: net accounts /lockoutduration:10


Account_lockout_duration_command-2.png

4 If you like, you can change the Account lockout threshold, Allow Administrator account lockout, and Reset account lockout counter after policies.

5 When finished, you can close Windows Terminal (Admin) if you like.


That's it,
Shawn Brink


 

Attachments

  • Account_lockout.png
    Account_lockout.png
    17.8 KB · Views: 73
Last edited:

Latest Support Threads

Back
Top Bottom