Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached.
The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.
The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. An administrator can also manually unlock a locked-out account.
The Reset account lockout counter after policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.
The Allow Administrator account lockout policy determines whether the built-in Administrator account is subject to account lockout policy.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.
Starting with Windows 11 build 22528 and higher, the Account lockout threshold policy is now set to 10 failed sign-in attempts by default. The Account lockout duration is now set to 10 minutes by default. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default.
This tutorial will show you how to enable or disable the Allow Administrator account lockout policy in Windows 11.
You must be signed in as an administrator to enable or disable the Allow Administrator account lockout policy.
Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.
Open Local Security Policy (secpol.msc).
Double click/tap on Account Policies in the left pane to expand, and click/tap on Account Lockout Policy to open it. (see screenshot below)
In the right pane of Account Lockout Policy, double click/tap on the Allow Administrator account lockout policy to open its properties. (see screenshot above)
The Account lockout threshold policy must be enabled to be able to change the Allow Administrator account lockout policy.
Select Enabled (default) or Disabled for what you want, and click/tap on OK. (see screenshot below)
If you like, you can change the Account lockout threshold, Account lockout duration, and Reset account lockout counter after policies.
When finished, you can close the Local Security Policy window if you like.