Accounts Change Account Lockout Threshold in Windows 11


  • Staff
Account_lockout_banner.png

Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached.

The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. An administrator can also manually unlock a locked-out account.

The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.

The Allow Administrator account lockout policy determines whether the built-in Administrator account is subject to account lockout policy.

Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.

See also:

Starting with Windows 11 build 22528 and higher, the Account lockout threshold policy is now set to 10 failed sign-in attempts by default. The Account lockout duration is now set to 10 minutes by default. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default.

This tutorial will show you how to change the Account lockout threshold to lock out a local account after a specified number of failed sign-in attempts to Windows 11 or Windows 10.


The Account lockout threshold policy does not apply to Microsoft accounts. It only applies to local accounts.

You must be signed in as an administrator to change the Account lockout threshold.



Contents

  • Option One: Change Account Lockout Threshold in Local Security Policy
  • Option Two: Change Account Lockout Threshold in Windows Terminal


EXAMPLE: Locked out account

locked_out_account.jpg





Option One

Change Account Lockout Threshold in Local Security Policy


Local Security Policy is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to set the same policy.


1 Open Local Security Policy (secpol.msc).

2 Double click/tap on Account Policies in the left pane to expand, and click/tap on Account Lockout Policy to open it. (see screenshot below)

Account_lockout_threshold-1.png

3 In the right pane of Account Lockout Policy, double click/tap on the Account lockout threshold policy to open its properties. (see screenshot above)

4 Type in a number between 0 and 999 for how many invalid logon attempts you want until locked out after, and click/tap on OK. (see screenshot below)

0 will disable the Account lockout threshold policy.

10 is the default.


Account_lockout_threshold-2.png

5 Review the suggested values under Suggested Setting that will be set, and click/tap on OK to confirm. (see screenshot below)

Account_lockout_threshold-3.png

6 If you like, you can change the Account lockout duration, Allow Administrator account lockout, and Reset account lockout counter after policies.

7 When finished, you can close the Local Security Policy window if you like. (see screenshot below)

Account_lockout_threshold-4.png




Option Two

Change Account Lockout Threshold in Windows Terminal


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Copy and paste the net accounts command into Windows Terminal (Admin), and press Enter to see the current Lockout threshold policy setting. (see screenshot below)

Account_lockout_threshold_command-1.png

3 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)

net accounts /lockoutthreshold:<number>

Substitute <number> in the command above with a number between 0 and 999 for how many invalid logon attempts you want until locked out after.

0 will disable the Account lockout threshold policy.

10 is the default.

For example: net accounts /lockoutthreshold:10


Account_lockout_threshold_command-2.png

4 If you like, you can change the Account lockout duration, Allow Administrator account lockout, and Reset account lockout counter after policies.

5 When finished, you can close Windows Terminal (Admin) if you like.


That's it,
Shawn Brink


 

Attachments

  • Account_lockout.png
    Account_lockout.png
    17.8 KB · Views: 17
  • 1658590851765.png
    1658590851765.png
    34.2 KB · Views: 12
Last edited:

Latest Tutorials

Top Bottom