Windows comes with certain policy settings that allows users to change the number of failed logon attempts that are allowed before causing an account to be locked out. These options are disabled by default. In this post I will show you how to enable Account Lockout and manage it to prevent someone from guessing your password by entering random password continuously.
Enable Account Lockout Policy
The quickest way to enable Account Lockout is from the command line. Open an elevated Command Prompt and type in a command like this:
net accounts /lockoutthreshold:1
1
is the allowed attempts before lockout. Change the value to what you want to allow.
Another method to enable Account Lockout is using the Local Group Policy Editor. To open Policy Editor type in gpedit.msc
in the Run dialog, and press Enter. When it opens, navigate to the following path:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
In the right-pane you’ll see three Policy settings:
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after
First, you’ve to enable “Account lockout threshold” before you can set the other policies (more on them below). To do so, double-click on the policy, set a value you want for “invalid logon attempts” (between 1 and 999, 0 disables policy), and hit OK. What you did here is exactly the same that the first command does, but in a GUI.
Specify Account Lockout duration
By default, an account is locked out for 30 minutes. To change the duration use this command:
net accounts /lockoutduration:5
This sets lockout duration to 5 minutes. You can set any value between 1
and 99999
minutes. If you want the account to be locked until an Admin unlocks it, set it to 0
.
In the GPE, the “Account lockout duration” setting determines how many minutes a locked-out account remains locked before automatically becoming unlocked. Double-click on it to set a custom value instead of 30
.
Reset Account Lockout Counter After
You can change how long Windows will remember the failed logon attempt before resetting the invalid attempt counter back to 0. By default this has the same value as Account Lockout Duration, but you can reduce it as below.
Set a custom time with the following command:
net accounts /lockoutwindow:1
Again, the available time range is between 1
to 99999
minutes.
In the Local Group Policy Editor window, double-click on “Reset account lockout counter after” to set a custom time.