Key Points
- The account lockout threshold limits failed login attempts on Windows devices, helping organizations maintain their security posture.
- Go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy, find Account lockout threshold policy, and choose a value from 0 to 999 to configure the account lockout threshold via Group Policy Editor.
- Use the command [code box]net accounts /lockoutthreshold:<value>[/codebox] to change the account lockout threshold on Command Prompt.
- IT professionals must balance security and usability to avoid productivity loss while protecting against credential stuffing and brute-force attacks.
- Best practices include communicating policies clearly to users, regularly reviewing lockout configurations, and aligning settings with regulatory compliance standards.
The account lockout threshold on Windows devices limits failed login attempts and prevents unauthorized access. Understanding how this system works allows IT teams to strengthen their organization’s security posture and safeguard sensitive data from unauthorized access. This guide explains how to protect local accounts with account lockout thresholds and prevent brute-force attacks on your Windows devices.
Way to configure account lockout settings for local accounts in Windows 10
You can change the account lockout threshold for local accounts using the Local Group Policy Editor or the Command Prompt.
Method 1: Adjusting the lockout threshold using the Group Policy Editor
Use Case: Configuring via Group Policy Editor is ideal for enterprise-wide deployment.
Prerequisites: For this method to work, users must have:
- Windows 10 Pro, Enterprise, or Education edition (⚠️ IMPORTANT: This method will not work with a Windows 10 Home edition.)
- Administrator access to the machine
💡 NOTE: It’s a good practice to back up your existing system settings before making changes to avoid potential issues.
To use this method, follow these steps:
- Ensure you have Administrator access to the machine.
- Back up your existing system settings to avoid any potential issues.
- Press Win + R to open the Run command, then type “gpedit.msc”. Press Enter to open the Local Group Policy Editor.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
- Click on Account Lockout Policy to open a new pane on the right.
- Double-click on the “Account lockout threshold policy”.
- By default, the number is set to 0; however, you can type any number between 0 and 999 to indicate how many invalid sign-in attempts a user can make before getting locked out.
- Once you set the desired threshold value, a window will pop up to confirm a default lockout duration and reset the timeframe. Both are set to 30 minutes by default, but you can modify them to your desired values.
- When you’re done, click “OK”.
Method 2: Configure lockout policy for local accounts with Command Prompt
Use Cases: Use the Command Prompt for devices with no access to the Group Policy Editor and quick script-based fixes. This method should work for all versions of Windows.
Prerequisites: You’ll need Administrator-level access to open an elevated command prompt.
To change the lockout threshold with Command Prompt, do the following steps:
- Check if you have Administrator-level access to open an elevated command prompt.
- Back up your existing system settings to avoid any potential issues.
- Set the threshold using the following command:
[code box]net accounts /lockoutthreshold:<value>[/codebox]
You must replace <value> with your desired number of failed attempts allowed. - To verify the changes made, you can run this command to display the current account lockout policy settings: [code box]net accounts[/code box]
- You can close the command prompt or change the default 30 minutes for the lockout duration and reset the timeframe.
What is the account lockout threshold in Windows?
The account lockout threshold determines the number of failed sign-in attempts allowed before a local account is temporarily locked out. Upon reaching the limit, the account becomes inaccessible for a defined period or until manually reset, depending on other security policies.
Setting up the best Windows account lockout settings helps IT security experts prevent brute force attacks, where unauthorized users repeatedly attempt various passwords until they succeed. Modifying the account lockout threshold can also help prevent other types of cyberattacks, such as credential stuffing.
Protect devices and data without compromising end-user productivity with NinjaOne’s all-in-one tool for endpoint security and management.
Why modify the account lockout threshold?
While Windows systems have default settings for the account lockout threshold, professionals and organizations, especially those that require IT compliance with regulatory standards, might need to configure the lockout policy for local accounts.
Troubleshooting common account lockout threshold issues
Policy not applying correctly
Make sure you have administrator privileges when using Local Group Policy Editor. When finished modifying your settings in the Group Policy Editor, open Command Prompt and run:
[code box]gpupdate /force[/code box]
This command refreshes all group policies and ensures the changes are enforced.
Changes don’t reflect on local accounts
If the device is part of a network, the account lockout policy applies to local accounts instead of domain accounts. You can also look at your settings to see if another applied group policy overrides your local setting.
Reverting account lockout threshold to default settings
If users frequently get locked out of their devices, you may need to adjust your number of attempts or reset all account lockout settings to default. If you need to restore default settings, revisit the Local Group Policy Editor and set the value back to “0”. Another way to restore the default settings is to enter this script into Command Prompt or PowerShell:
[code block]net accounts /lockoutthreshold:0[/code block]
Best practices for Windows account lockout policies
Strike a balance between usability and security
Strict lockout thresholds can inconvenience legitimate users and increase helpdesk ticket volumes. On the other hand, account lockouts help strengthen endpoint security by preventing unauthorized access to Windows devices.
Adjust the local account lockout configuration to suit your needs
Microsoft recommends an account lockout threshold of 10 failed attempts to reduce accidental lockouts and help desk tickets. That said, 3-5 failed attempts might be a better range for high-security environments, as it would discourage brute force attacks without causing excessive accidental lockouts.
Communicate policies clearly to end users
IT teams must inform end-users about account lockout thresholds to reduce failed attempts. When users know the thresholds, the number of help desk tickets created for accidental lockouts can be reduced, allowing technicians to work on more urgent issues.
Protect devices and data without compromising end-user productivity with NinjaOne’s all-in-one tool for endpoint security and management.
How to protect local accounts with account lockout thresholds
Changing the account lockout threshold helps secure local Windows accounts and deters brute force attacks. However, improperly configuring this can lead to disruptions for users if they can no longer access their devices due to frequent lockouts. Therefore, IT professionals must regularly review and update this policy to secure Windows endpoint devices and minimize downtime.
