Someone who attempts to use more than a few unsuccessful¬†passwords¬†while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached.
The¬†Account lockout threshold¬†policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the¬†Account lockout duration¬†policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero,¬†Account lockout duration¬†must be greater than or equal to the value of¬†Reset account lockout counter after.
The¬†Account lockout duration¬†policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. An administrator can also manually¬†unlock a locked-out account.
The¬†Reset account lockout counter after¬†policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.
Starting with¬†Windows 11 build 22528¬†and higher, the¬†Account lockout threshold¬†policy is now set to 10 failed sign-in attempts by default. The¬†Account lockout duration¬†is now set to 10 minutes by default. The¬†Allow Administrator account lockout¬†is now enabled by default. The¬†Reset account lockout counter after¬†is now set to 10 minutes by default.
This tutorial will show you how to change the¬†Account lockout threshold¬†to lock out a local account after a specified number of failed sign-in attempts to Windows 11.