How to Set Up Local Account Lockout Policies Consistently Across All Clients Using PowerShell and Local Policies

A local account lockout policy for your managed devices is foundational to your organization’s security. It prevents brute-force login attempts, helps detect when someone is going beyond your account misuse thresholds, and aligns your devices with baseline security protocols.

In enterprise environments, automating this process is the best way to go. This ensures that your lockout policy is consistently applied across all your managed devices and alerts administrators immediately when a device isn’t compliant.

A guide to automating the account lockout policy for local accounts

There are several steps before you can fully automate local account lockout policies. You can start by drafting the local account lockout policy and uploading that document to an accessible cloud solution.

Account lockout policies can be enforced using local policies or Windows PowerShell. You can also track and verify the policy status using Registry keys and Command Prompt.

📌 Prerequisites:

• You will need administrator privileges on all the devices you want to modify.
• You need PowerShell 5.1 or later on all your managed systems.
• An RMM solution like NinjaOne for deployment and policy tracking.
• Optional: You can use audit tools for Registry validation and event log review.

📌 Recommended deployment strategies:

Step 1: Define standard lockout policy values

Administrators must define standard lockout policies, depending on your organization’s needs and requirements. Here are the recommended values based on CIS benchmarks and Microsoft guidance.

• Users are locked out of the account after 5 invalid attempts.
• The account will be locked for 15 minutes.
• The counter of attempts before users are locked out will reset after 15 minutes of being locked out.

Document your baseline and apply the policies consistently across your managed devices. And make sure that your lockout policies are complying with contractual and government requirements. You can upload this document to a file-sharing space like SharePoint, so it can be accessible for everyone who needs it.

Step 2: Enforce lockout policy using Local Group Policy on standalone systems

📌 Use Case: This step should be used on all managed devices that have group policies.

1. Open the Start Menu and search for Edit Group Policy to open the program.
2. Go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
3. Configure the following policies:
   • Account lockout threshold – 5
   • Account lockout duration – 15
   • Reset account lockout counter after – 15

The values will change, depending on your organization’s requirements and device lockout policies. Apply this change to all the necessary units in your managed setup.

💡Note: To validate the policy application, open Command Prompt with elevated permissions and use this command: gpresult /h C:\GPO_Lockout_Report.html. In enterprise environments, you can use NinjaOne scripts to collect and confirm policy application for each endpoint.

Step 3: Enforce lockout settings using PowerShell on standalone systems

1. Open the Start Menu and search for Windows PowerShell.
2. Right-click Windows PowerShell > Run as administrator.
3. Input this command:

(Get-Content C:\secpol.cfg).replace("LockoutBadCount = 0", "LockoutBadCount = 5") |

Set-Content C:\secpol.cfg

(Get-Content C:\secpol.cfg).replace("ResetLockoutCount = 0", "ResetLockoutCount = 15") |

Set-Content C:\secpol.cfg

(Get-Content C:\secpol.cfg).replace("LockoutDuration = 0", "LockoutDuration = 15") |

Set-Content C:\secpol.cfg

secedit /configure /db C:\windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY

💡Note: Secpol.cfg contains data on your lockout policies. This script modifies the system settings according to the data in this file.

If the file doesn’t exist in the system yet, run this command to generate it: secedit /export /cfg C:\secpol.cfg

4. Document what happens and keep a log of errors if they occur. This will be useful for audit trail generation.

Step 4: Track and confirm policy using Registry keys

Lockout policies are not easily accessible using the Windows Registry. However, you can log policy and enforcement status using custom keys.

1. Open the Start Menu and search for Registry Editor to open the program.
2. Navigate to this address: HKEY_LOCAL_MACHINE\SOFTWARE\Org\LockoutPolicy.
3. You can log activity and enforcement status using these custom keys:
   • LockoutThreshold (DWORD) 
   • LockoutDuration (DWORD) 
   • ResetCounterMinutes (DWORD) 
   • LastPolicyUpdate (String)

💡Note: An automated script must be written to record the computer’s lockout threshold, duration, reset counter minutes, and when the policy was last updated in these Registry values. They do not change the lockout policies on their own.

However, you can use a custom script through your RMM tool to regularly check the information in these keys to ensure that your organization’s policies are being updated. If you change the lockout policies, you must also update the data within the Registry values.

Step 5: Validate lockout policy with CMD and security logs

For audits and compliance testing, administrators can use Command Prompt to validate the lockout policies for managed devices.

1. Open the Start Menu and search for Command Prompt.
2. Right-click Command Prompt > Run as administrator.
3. Type this command: net accounts
   
   Command Prompt will display the system’s current lockout policy. Here’s a sample of what it will show, among other settings:

Lockout threshold: 5 invalid logon attempts 

Lockout duration: 15 minutes 

Lockout observation window: 15 minutes

After verifying the device’s current lockout policy, you can also view failed logon attempts using this command: wevtutil qe Security "/q:*[System[(EventID=4625)]]" /c:5 /f:text

This will show you the last failed login attempts on the device (if any). This is useful during audits and to demonstrate your organization’s security compliance and effectiveness.

⚠️ Things to look out for

Additional considerations when automating local account lockout policies

• Enable audit logging for account lockouts.
• Remember to disable local administrator accounts that you don’t need. You can also randomize their passwords to further enhance security.
• Record policy enforcement and timestamp per endpoint for audit logs.

NinjaOne services to help automate the account lockout policy for local accounts

NinjaOne’s RMM tools can strengthen your lockout policy enforcement. They can

• Deploy remote PowerShell-based enforcement scripts across all endpoints that need them.
• Monitor registry keys and scheduled task status using automations and custom fields.
• Alert administrators on failed policy application or missing expected Registry values.
• Audit script outputs and compliance logs using NinjaOne’s centralized dashboard.
• Tag non-compliant endpoints for remediation workflows and ticket creation.

Enhance your organization’s security by automating lockout policies for your endpoints

Automating local account lockout policies across clients improves security posture, enforces consistency, and satisfies compliance mandates. It can be done using the local policy editor and Windows PowerShell, and you can use Registry keys and Command Prompt to verify that policies are consistently applied across all devices.=

Related topics:

• PowerShell Script Guide: Detecting Locked Accounts in Windows
• How to Change Account Lockout Threshold for Local Accounts in Windows
• How to Change Account Lockout Duration for Local Accounts in Windows