Geek Rewind

How to Change Reset Account Lockout Counter After Time in Windows 11

This tutorial will show you how to change the Reset account lockout counter after policy in Windows 11 or Windows 10.

What Is Account Lockout?

Someone who tries many wrong passwords to log in might be a bad actor. They could be trying to guess your password. Windows keeps track of login tries. It can lock an account if too many wrong tries happen. This protects your computer from attacks.

The Account Lockout Policy settings control when an account gets locked and what happens next.

Important Policy Settings

Account lockout threshold: This is how many failed login tries will lock an account. You can set it from 1 to 999 tries. Or set it to 0 to never lock the account.

Account lockout duration: This is how many minutes a locked account stays locked before it unlocks on its own. An admin can also unlock it faster.

Reset account lockout counter after: This is how many minutes must pass after a failed login before the counter goes back to zero.

Allow Administrator account lockout: This decides if the Administrator account can be locked.

Why This Matters

Bad actors can try thousands of password combinations automatically. Limiting failed logins stops most of these attacks. However, someone could also lock all accounts on purpose as an attack. This is called a denial-of-service attack.

References:

Account Lockout Policy – Windows 10

Describes the Account Lockout Policy settings and links to information about each policy setting.

Reset account lockout counter after – Windows 10

Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.

New Windows 11 Defaults

Starting with Windows 11 build 22528 and higher, the defaults are now:

  • Account lockout threshold: 10 failed tries
  • Account lockout duration: 10 minutes
  • Allow Administrator account lockout: Enabled
  • Reset account lockout counter after: 10 minutes

Note: You must be signed in as an administrator to change these settings.

Option One: Use Local Security Policy

Note: Local Security Policy is only in Windows 10/11 Pro, Enterprise, and Education editions. All editions can use Option Two instead.

  1. Open Local Security Policy. Press the Windows key and search for secpol.msc. Click it to open. ⚠️ Requires admin privileges
  2. Find Account Lockout Policy. In the left pane, click on Account Policies to expand it. Then click on Account Lockout Policy.
  3. Open Reset account lockout counter after. In the right pane, double-click on “Reset account lockout counter after” to open it.
  4. Enter the new time. Type a number between 1 and 99999 minutes. This is how long must pass before the failed login counter resets to zero. Click OK.

Important: Account lockout threshold must be enabled first. Also, Account lockout duration must be greater than or equal to Reset account lockout counter after. The default is 10 minutes.

  1. Check Account lockout duration. If Reset account lockout counter after is set higher than Account lockout duration, a popup will show suggested values. Click OK to confirm and update Account lockout duration.
  2. Change other settings (optional). You can also change Account lockout duration, Account lockout threshold, and Allow Administrator account lockout here.
  3. Close the window. When done, close Local Security Policy if you want.
windows 11 account lockout threshold change

Option Two: Use Windows Terminal

This method works on all Windows 10/11 editions.

  1. Open Windows Terminal as admin. Press the Windows key and search for Windows Terminal. Right-click it and select “Run as administrator.” ⚠️ Requires admin privileges Select either Windows PowerShell or Command Prompt.
  2. Check current settings. Copy and paste this command and press Enter:
    net accounts

    Look for “Lockout observation window (minutes)” to see the current setting.

  3. Change the setting. Copy and paste this command and press Enter:
    net accounts /lockoutwindow:<number>
    Replace <number> with a number between 1 and 99999 minutes. For example: net accounts /lockoutwindow:10

Important: Account lockout threshold must be enabled first. Also, Lockout duration (minutes) must be greater than or equal to Lockout observation window (minutes). The default is 10 minutes.

  1. Change other settings (optional). You can also change Account lockout threshold, Allow Administrator account lockout, and Reset account lockout counter after policies with other commands.
  2. Close Windows Terminal. When done, close Windows Terminal if you want.

Summary

Account lockout protects your computer by locking accounts after too many wrong password tries. Windows 11 now defaults to locking accounts after 10 failed tries for 10 minutes. You can change when the failed login counter resets using either Local Security Policy (on Pro/Enterprise/Education editions) or Windows Terminal (on all editions). Remember that Account lockout duration must be at least equal to Reset account lockout counter after. Both methods require admin access.

Categories:

Tags:

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *