Setting Account Lockout Durations


This will show you how to set up Windows Server 2003 to watch for invalid log-in attempts, and lock the account against more unsuccessful log-ins for a certain amount of time.  This is extraordinarily helpful for remote logging in via Remote Desktop and the such.


Click Start then Run..

In the Run box type "gpedit.msc"

Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy and click Account lockout

Double click on Account lockout threshold and put in a desired "max log-in attempt", I'll use 5 for the sake of this tutorial

When you click OK you will get a dialog box saying it will enable 2 other things with recommended settings, click OK, we'll be changing those anyway

Double click Account lockout duration.  This will be the amount of time after 5 unsuccessful log-ins the account will be locked for.  I will be locking the account for one hour (60 minutes).  Put in the value you'd like and press OK

Double click Reset account lockout counter after: .  This is how long you want Windows Server 2003 to remember invalid log-ins for lockout.  For example, we will set it to be 60 minutes.  That means, after 5 unsuccessful log-ins to a single account within 60 minutes time, the account will be locked for 60 minutes, per our previous settings

Done!  We have now blocked against a certain amount of unsuccessful log-ins (5) that occur within a certain amount of time (60 minutes) and Windows Server 2003 will lock that account for a certain amount of time (60 minutes)

Uh oh, I locked myself out!

Don't worry, it happens to the best of us.  Sure, you could wait the hour to log in, or you can log in with a user in the Administrator's group, click Start -> Run...

Type "lusrmgr.msc" and press OK

Click the users folder and then double click the locked out user.  You will see a checkbox checked by "Account is locked out".  Un-checking that will unlock the account

My reasoning

Q: Why do you set the invalid log-in attempt to only 5?  That could lock out more users than I'm wishing to unlock

A: It was merely for the sake of an example.  I believe 5 should be more than enough to correct a mistyped letter or so in a password.  If you start to see that it isn't enough, you can change it by going back, just as easy as it was set.

Q: I think I was locked out but I'm really not sure.  What will the dialog look like at log on?

A: Well it basically says you've been locked out, here's a picture:

<-- Go back to the main tutorial page

Copyright © 2002-2023 Jonathan Maltz.  For trademark/copyright information, click hereAbout meMain pageContact me.