• Last updated

How to Change Account Lockout Duration for Local Accounts in Windows 

How to Change Account Lockout Duration for Local Accounts in Windows blog banner image

Changing the duration of Windows account lockout can help mitigate vulnerabilities that may cause unauthorized access to your device. There are many ways to protect your device from unauthorized access, including enforcing password requirements for local accounts. This article will discuss account lockout, specifically its configurations and importance to data protection and cybersecurity.

How to configure Account Lockout settings

Here’s a step-by-step guide on how to change account lockout settings. Before exploring the account lockout settings, make sure you observe the prerequisites.

Check these before you configure the Account Lockout settings

  1. Administrative privileges: Only administrators can modify security policies. If the user account is not on an administrator level, log in to an administrator level one. Alternatively, you can contact an IT administrator to change your account lockout settings.
  2. Access to Local Security Policy or Group Policy Editor: Depending on your Windows edition and environment, you’ll need to access either the Local Security Policy (for standalone computers or workgroups) or the Group Policy Editor (for domain environments) to configure account lockout settings.
  3. Familiarity with security policies: Understanding related settings is vital to knowing the effects of specific configurations and how they can impact your system and security posture.

Now, you can change the lockout duration by following the steps below.

Using the Local Security Policy

  1. Open Local Security Policy:
    • Press Win + R, type secpol.msc, and click OK.
  1. Navigate to the Account Lockout Policy:
    • In the left pane, go to Account Policies > Account Lockout Policy.
  1. Modify the Account Lockout Duration:
    • In the right pane, double-click Account lockout duration.
    • Enter a value between 0 and 99999 minutes.
    • Note: A value of 0 requires an administrator to unlock the account manually.
  1. Save and Apply:
    • Click OK to save changes. Close the Local Security Policy window.

Using the Group Policy Editor (For Domain Environments)

  1. Open Group Policy Management Console:
    • Press Win + R, type gpmc.msc, and click OK.
  1. Navigate to the Policy Object:
    • Expand the domain or organizational unit (OU) where the policy is applied.
  1. Edit the Policy:
    • Right-click the relevant Group Policy Object (GPO) and select Edit.
    • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
    • Double-click Account lockout duration and adjust the value.
  1. Apply the Policy:
    • Save the changes and ensure the GPO is applied to the target computers or users.

Using the Command Prompt

  1. Open Command Prompt with Admin Privileges:
    • Press Win + X, then select Command Prompt (Admin) or Windows Terminal (Admin).
  1. Check the Current Lockout Duration:
    • Type the command net accounts and press Enter.
    • Note the existing duration.
  1. Change the Lockout Duration:
    • Run the command: net accounts /lockoutduration:Number
      • Replace Number with a value between 0 and 99999 minutes.
  1. Verify Changes:
    • Run net accounts again to confirm the new lockout duration.

What you should know about Account Lockout and Account Lockout duration

Account lockout in Windows is a feature that locks a user account after a set number of unsuccessful access attempts. This security setting can help prevent unauthorized access to a device, even if the user already has vital account information, such as a username.

What is the Account Lockout duration?

The account lockout feature has a defense strategy that enforces a duration for which the locked account remains inaccessible. Depending on a user or administrator’s configurations, the lockout duration determines how long a locked account remains inaccessible after exceeding the allowed number of invalid login attempts. System administrators usually modify this setting to complement other security configurations, such as:

  • Account Lockout Threshold – the number of failed login attempts before the account is locked
  • Reset Account Lockout Counter After – the time window in minutes after which the failed attempts counter resets

Properly configuring these settings is crucial in combating mechanisms that aim to initiate unauthorized access to a device.

Troubleshooting common issues

Unable to Access Local Security Policy or Group Policy Editor

Users or IT administrators may struggle to access the Local Security Policy or Group Policy Editor. Here are some solutions you can try:

    • Verify the Windows version you’re using. Some Windows editions don’t support Local Security Policy and Group Policy Editor. Verify if you are using a Windows edition that does by going to Settings > System > About and checking your Windows edition under Windows specifications. If you are using Windows Home, these tools are unavailable by default. Consider upgrading to Windows Pro or using alternative methods like registry edits.
    • Use Command Prompt. If you cannot access Local Security Policy or Group Policy Editor, you can follow the step-by-step guide above to configure account lockout settings using Command Prompt.
    • Elevate privileges. Configuring Local Security Policy or Group Policy Editor requires administrative privileges. Log in with an administrator account or contact your IT administrator for assistance if necessary.

Conflicts occur between Local and Domain Policies

There are instances when Group Policy settings applied at the domain level override local security policy settings, affecting various configurations, such as user access and privileges, security settings, system configurations, and more. Here’s what you can do:

    • Identify and resolve conflicts. Determine where Group Policy settings are overriding local policy settings. Based on your needs and requirements, decide which policy should take precedence. Then, adjust the settings according to your preferences.
    • Coordinate with the IT team. Some configurations can be modified only by your IT team or IT administrators. For instance, domain policies may require modifications at the domain level to resolve conflicts and ensure consistent security settings across the entire network. Contacting the IT team might be the best option.

Policy changes are not being applied

You may also face challenges in getting policy configurations to take effect, impacting productivity and system security. To mitigate the situation, here’s what you can do:

    • Force a policy update. Run the command gpupdate /force in Command Prompt (with administrator privileges). This command forces the immediate application of any pending Group Policy updates.

Best practices and recommendations in setting up Account Lockout duration

The range of security defense an account lockout setting can provide depends on how you configure it based on specific needs and requirements. With that in mind, you can follow some account lockout duration best practices. Here are some strategies you can apply:

  • Recommended values. Set the duration to 15–30 minutes. This range is a good starting point if you want to balance security and usability for most environments. It can offer a sufficient deterrent against automated password-guessing (brute-force attacks) while minimizing frustration for user account owners who may encounter unintentional errors when providing their passwords.
  • Regular reviews. Allotting time for a periodic review of policies is crucial in maintaining a robust security posture. Cyber threats continually evolve, and new attack vectors and techniques emerge regularly. That’s why your account lockout settings need to match evolving security needs.
  • Avoid extremes. Setting duration values that are too short or too long may lead to security vulnerabilities and usability. Extremely short account lockout durations (less than 5 minutes) increase the risk of legitimate users being repeatedly locked out due to minor typing errors or temporary network issues, significantly impacting their productivity. Conversely, indefinite lockouts (0 minutes) pose a severe security risk, as compromised accounts can remain active indefinitely.

FAQs

  1. What is the default duration of account lockout in Windows?
    The default is 30 minutes. This keeps the system locked for 30 minutes after several invalid login attempts. The system will remain locked for half an hour before it becomes usable.
  2. Can this setting be applied only to specific accounts?
    No, account lockout settings apply globally to all local accounts. The same lockout duration and threshold will apply to every user account on the local system.
  3. How do account lockout duration and threshold work together?
    The threshold triggers the lockout, and the duration defines how long the account stays locked. This mechanism enhances account security by preventing unauthorized access after multiple failed login attempts.

Protecting your system with Account Lockout

Account lockout settings are a set of configurations that can help maintain your device’s security by preventing unauthorized access. Properly configured account lockout duration aids in deterring brute-force attacks and reducing the risk of unauthorized access by locking out accounts after several failed login attempts.

Understanding these settings enhances your system’s security posture by building a defense against sophisticated intrusion attempts and minimizing the impact of potential security breaches.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

Start your Free Trial

You might also like

How to Delete Saved RDP Credentials in Windows blog banner image

IT Guide: How to Delete Saved RDP Credentials in Windows

How to Unlock a Local Account in Windows 10 blog banner image

Complete Guide: How to Unlock a Local Account in Windows 10

How to Specify a Default Active Power Plan in Windows blog banner image

How to Specify a Default Active Power Plan in Windows

How to Hide Control Panel Items in Windows blog banner image

How to Hide Specified Control Panel Items in Windows

How to Remove Remote Desktop Connection History in Windows blog banner image

How to Remove Remote Desktop Connection History in Windows

How to Save Remote Desktop Connection Settings to RDP Files in Windows blog banner image

How to Save Remote Desktop Connection Settings to RDP Files in Windows

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept