How to Enable or Disable Built-in Administrator Account Lockout in Windows 11
This tutorial will show you how to enable or disable the Allow Administrator account lockout policy in Windows 11.
Open Local Security Policy by searching for secpol.msc. Navigate to Account Policies, then Account Lockout Policy. Double-click “Allow Administrator account lockout” and select Enabled or Disabled to control the setting. You need administrator privileges to modify this.
Why Account Lockout Matters
Someone who tries many wrong passwords might be a hacker trying to guess your password. Windows keeps track of failed login attempts. It can automatically lock an account to stop these attacks.
The Account Lockout Policy settings control when an account gets locked and what happens next.
Understanding the Settings
Windows 11’s account lockout settings help protect your PC by locking out accounts after too many wrong password attempts. You can set how many bad guesses are allowed before the account locks, how long it stays locked, and how long the system waits before resetting the bad guess counter.
Account lockout duration: This is how many minutes the account stays locked before it unlocks automatically. An admin can also unlock it manually.
Reset account lockout counter after: This is how many minutes must pass before the failed login counter resets to zero.
Allow Administrator account lockout: This setting controls whether the built-in Administrator account can be locked.
The Security Trade-off
Limiting failed login attempts stops most hacking attempts. However, a bad actor could try to lock out everyone’s accounts at once. This is called a denial-of-service attack.
New Default Settings
Windows 11 changed its default account lockout settings starting with build 22528 to improve security. Now, the built-in administrator account locks after 10 wrong password attempts for 10 minutes, and the system resets the failed attempt counter after 10 minutes by default.
- Account lockout threshold: 10 failed attempts
- Account lockout duration: 10 minutes
- Allow Administrator account lockout: Enabled
- Reset account lockout counter after: 10 minutes
References:
Account Lockout Policy – Windows 10
Describes the Account Lockout Policy settings and links to information about each policy setting.
KB5020282—Account lockout available for built-in local administrators – Microsoft Support
Important Requirements
You need administrator access to change these settings. This feature is only available in Windows 11 Pro, Enterprise, and Education editions.
How to Enable or Disable Administrator Account Lockout
You can easily turn the built-in administrator account lockout on or off using the Local Security Policy tool in Windows 11. First, open Local Security Policy by searching for ‘secpol.msc’ in the Windows search bar and pressing Enter.- [Admin Required] Open Local Security Policy. Press the Windows key and search for
secpol.msc, then press Enter. - In the left pane, click on Account Policies to expand it. Then click on Account Lockout Policy.
- In the right pane, double-click on Allow Administrator account lockout to open its settings.
- Note: The Account lockout threshold policy must be enabled first to change this setting.
- Select Enabled (the default) or Disabled for what you want. Then click OK.
- If you want, you can also change the Account lockout threshold, Account lockout duration, and Reset account lockout counter after settings.
- When you’re done, you can close the Local Security Policy window.
Summary
The Allow Administrator account lockout policy is a key security feature that locks your admin account after several incorrect password entries. Windows 11 now defaults to locking accounts for 10 minutes after 10 failed attempts, but you can change this using Local Security Policy on Pro, Enterprise, or Education versions.
How to enable or disable the built-in Administrator account in 🪟 Windows 11?
Command Prompt (All Editions): Run net user Administrator /active:yes to enable or /active:no to disable the built-in Administrator account in Windows 11. PowerShell (All Editions): Use Enable-LocalUser -Name “Administrator” or Disable-LocalUser -Name “Administrator” in an elevated session.
Is it safe to disable the built-in admin?
Is it safe to disable the built-in admin? Yes—in most environments, disabling it is a recommended hardening step because it removes a predictable, high-privilege target. Ensure you have at least one other approved admin account (local or domain) available before disabling it.
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!