Published by


Brink's Avatar
Administrator

Posts: 25,184

Show Printable Version 


How to Change Account Lockout Threshold for Local Accounts in Windows 10

information   Information
The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a local account to be locked. A locked account cannot be used until an administrator unlocks it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

Failed password attempts on workstations or member servers that have been locked by using CTRL+ALT+DELETE or password-protected screen savers do not count as failed sign-in attempts unless Interactive logon: Require Domain Controller authentication to unlock workstation is set to Enabled. If Interactive logon: Require Domain Controller authentication to unlock workstation is enabled, repeated failed password attempts to unlock the workstation will count against the account lockout threshold.

Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.

This tutorial will show you how to change the Account lockout threshold to lock out a local account after a specified number of invalid sign-in attempts to Windows 10.

You must be signed in as an administrator to change the Account lockout threshold.


CONTENTS:
  • Option One: To Change Account Lockout Threshold for Local Accounts using Local Security Policy
  • Option Two: To Change Account Lockout Threshold for Local Accounts using Command Prompt


EXAMPLE: "The referenced account is currently locked out and may not be logged on to" error
Name:  referenced_account_is_currently_locked_out.jpg
Views: 544
Size:  51.1 KB






Change Account Lockout Threshold for Local Accounts in Windows 10 OPTION ONE Change Account Lockout Threshold for Local Accounts in Windows 10
To Change Account Lockout Threshold for Local Accounts using Local Security Policy

Note   Note
Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option Two below.


1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy.

2. Navigate to Account Policies and Account Lockout Policy in the left pane of Local Security Policy. (see screenshot below)

Name:  Account_lockout_threshold_secpol-1.png
Views: 581
Size:  37.2 KB

3. In the right pane of Account Lockout Policy, double click/tap on the Account lockout threshold policy. (see screenshot above)

4. Type in a number between 0 and 999 for how many invalid sign-in attempts you want before the account will be locked out after, and click/tap on OK. (see screenshots below)
Note   Note
The default setting is 0 invalid sign-in attempts for local accounts to never be locked out.


Name:  Account_lockout_threshold_secpol-2.png
Views: 567
Size:  19.4 KB Name:  Account_lockout_threshold_secpol-3.png
Views: 557
Size:  19.6 KB

5. If the Account lockout threshold was originally set to 0 or you just set to 0 invalid sign-in attempts, then click/tap on OK. (see screenshots below)

Name:  Account_lockout_threshold_secpol-4.png
Views: 568
Size:  14.6 KB Name:  Account_lockout_threshold_secpol-5.png
Views: 551
Size:  14.7 KB

6. When finished, you can close the Local Security Policy window if you like.

7. If you like, you can change the Account lockout duration and Reset account lockout counter after policies to what you want instead of the default 30 minutes.





Change Account Lockout Threshold for Local Accounts in Windows 10 OPTION TWO Change Account Lockout Threshold for Local Accounts in Windows 10
To Change Account Lockout Threshold for Local Accounts using Command Prompt

1. Open an elevated command prompt.

2. Enter the command below into the elevated command prompt, press Enter, and make note of the current Lockout threshold. (see screenshot below)

net accounts

Name:  net_accounts.jpg
Views: 544
Size:  72.3 KB

3. Enter the command below into the elevated command prompt, and press Enter. (see screenshot below)

net accounts /lockoutthreshold:Number

Note   Note
Substitute Number in the command above with a number between 0 (none) and 999 for how many invalid sign-in attempts you want before the account will be locked out after.

The default setting is 0 invalid sign-in attempts for local accounts to never be locked out.


Name:  Account_lockout_threshold-command.png
Views: 550
Size:  18.7 KB

4. When finished, you can close the elevated command prompt if you like.

5. If you like, you can change the Account lockout duration and Reset account lockout counter after policies to what you want instead of the default 30 minutes.


That's it,
Shawn


Related Tutorials