What is Windows Account lockout duration?

Windows Account lockout duration is a built-in security policy for Windows that allows you to set the number of minutes the account should be locked out after the account lockout is triggered. The locked out account will be automatically unlocked after the Account lockout duration. The lockout duration value is not set by default, since it's only applicable if the Account lockout duration is configured above 0. The Account lockout duration value will be set to 30 minutes by default once you set the value of Account lockout duration. You can change the value of Account lockout duration between 0~99999 minutes. If the value is 0, the account will remain locked out until an administrator unlocks it manually.

How does Account lockout duration helps curb security threats?

To protect your computer from unauthorized use, Windows provides a facility to protect it using Account lockout duration. A malicious threat actor may try to guess your Windows account password using a trial and error method, known as the Brute Force attack. Once his attempts exceed the limit set in the Account lockout threshold, the account will be locked out for an Account lockout duration specified to prevent him from attempting again.

Account lockout duration best practices and recommendations:

Leaving the Account lockout duration value at 0 will keep the account locked out until the administrator unlocks the account, resulting in increased help desk calls. Setting it to a minimum value would allow the attacker to resume his attempts again after a very short time. The best practice is to set the Account lockout duration value to 1440 minutes.

Location for configuring Account lockout duration:

The Account lockout duration setting can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

However, if your administrator has provided you access to configure from the local security policy of your computer, you can open the local security policy, and click on Account Lockout Policy in the left pane to locate the Account lockout duration.


How to centrally manage the Account lockout duration in your Windows machines?

If you're running a Windows-based network, you can configure Account lockout duration for all your Windows machines in the network using the Group Policy Object. However, configuring GPO is a tedious process.

Now, you can easily fix that with ManageEngine Vulnerability Manager Plus, a threat and vulnerability management solution to detect, assess, and remediate vulnerabilities and misconfigurations. With Vulnerability Manager Plus, you can continuously scan your network for machines in which Account lockout duration and other security settings are poorly configured and instantly bring them back to compliance by deploying the secure configuration with a single click.

Download a free, 30-day trial of Vulnerability Manager Plus and establish secure configurations across all your Windows endpoints.