The Best Computer Tips and Tricks

Set Account Lockout Threshold for Invalid Logon Attempts

April 22, 2013 By: Jono Category: Windows 7

set account lockout threshold for invalid logon attempts

Someone who Attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. An account lockout policy is an action that can disable the user account for the specified period if incorrect password is entered a certain number of times. Account lockout policy settings can help you to prevent attackers from guessing users’ passwords.

Account lockout policy consists of three sub-category; Account lockout duration, Account lockout threshold, Reset account lockout counter after. For more details on the implementation of account lockout policy in Windows 7 computer, you can see the experiments that I have done.

How to set Account Lockout Threshold for invalid logon attempts

  1. Open the Local Security Policy on your computer, click the Start button and type secpol.msc in the search box and then click secpol.msc.
    open secpol msc
  2. In the left panel, expand Account Policies > Account Lockout Policy.
  3. Then on the right panel will show up 3 sub categories of the Account Lockout Policy. Double-click Account lockout threshold.
    • Account lockout threshold determines the number of failed logon attempts that will cause a user account to be locked out. You can set a value from 1 through 999 failed logon attempts.

    account lockout treshold

  4. In this case I set the account to lockout after 3 invalid logon attempts. Click OK button to continue.
    invalid logon attempts
    suggested value changes threshold
  5. By default the Account lockout duration value is 30 minutes. But you can set it as you want.
    • Account lockout duration determines the number of minutes the account is locked after failed logon Attempts. The available range is from 1 through 99,999 minutes.
  6. To set it, double-click Account lockout duration.
    account lockout duration
  7. In this case I set the account is locked for 10 minutes. Click OK button to continue.
    account locked for minutes
    suggested value changes duration
  8. Now the account lockout duration has been changed to 10 minutes. But for the Reset account lockout counter after value is still 30 minutes. Recommended for you to set the value of the Reset account lockout counter after = the value of the account lockout duration.
    • Reset account lockout counter after is determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0.

    account lockout policy

Before you enable account lockout policy, it is important for you to know, there is a risk of unintentionally locking authorized users out of their accounts, and they might be mistaken in entering a password. Locked-out users cannot access their user account until the account is opened automatically after a specified amount of time or until the account is opened manually.


Leave a Reply