Setting Account lockout Durations

Setting Account Lockout Durations

Preface:

This will show you how to set up Windows Server 2003 to watch for invalid log-in attempts, and lock the account against more unsuccessful log-ins for a certain amount of time. This is extraordinarily helpful for remote logging in via Remote Desktop and the such.

Method:

Click Start then Run..

In the Run box type "gpedit.msc"

Under Computer Configuration Click the + next to Windows Settings, then Security Settings, then Account Policy and click Account lockout

Double click on Account lockout threshold and put in a desired "max log-in attempt", I'll use 5 for the sake of this tutorial

When you click OK you will get a dialog box saying it will enable 2 other things with recommended settings, click OK, we'll be changing those anyway

Double click Account lockout duration. This will be the amount of time after 5 unsuccessful log-ins the account will be locked for. I will be locking the account for one hour (60 minutes). Put in the value you'd like and press OK

Double click Reset account lockout counter after: . This is how long you want Windows Server 2003 to remember invalid log-ins for lockout. For example, we will set it to be 60 minutes. That means, after 5 unsuccessful log-ins to a single account within 60 minutes time, the account will be locked for 60 minutes, per our previous settings

Done! We have now blocked against a certain amount of unsuccessful log-ins (5) that occur within a certain amount of time (60 minutes) and Windows Server 2003 will lock that account for a certain amount of time (60 minutes)

Uh oh, I locked myself out!

Don't worry, it happens to the best of us. Sure, you could wait the hour to log in, or you can log in with a user in the Administrator's group, click Start -> Run...

Type "lusrmgr.msc" and press OK

Click the users folder and then double click the locked out user. You will see a checkbox checked by "Account is locked out". Un-checking that will unlock the account

My reasoning

Q: Why do you set the invalid log-in attempt to only 5? That could lock out more users than I'm wishing to unlock

A: It was merely for the sake of an example. I believe 5 should be more than enough to correct a mistyped letter or so in a password. If you start to see that it isn't enough, you can change it by going back, just as easy as it was set.

Q: I think I was locked out but I'm really not sure. What will the dialog look like at log on?

A: Well it basically says you've been locked out, here's a picture:

<-- Go back to the main tutorial page