Knowledgebase

Below is the same guidance translated into English, showing how to disable or relax the account lockout policy on Windows Server 2025.

1. If the Server Is a Domain Controller (Active Directory)

1. Open the Group Policy Management Editor

   • On your Domain Controller, launch Group Policy Management (for example, via Server Manager → Tools → Group Policy Management).

   • Locate the Default Domain Policy (or whichever GPO you use for account policies), right-click it and choose Edit.

2. Navigate to “Account Lockout Policy”
   In the Group Policy Management Editor, browse to:

    

   Computer Configuration

   └─ Policies

     └─ Windows Settings

       └─ Security Settings

         └─ Account Policies

           └─ Account Lockout Policy

3. Adjust the Settings
   In the right pane, you’ll see three settings:

   • Account lockout threshold

     • This controls how many (failed) logon attempts trigger a lockout.

     • To disable account lockout entirely, set the threshold to 0 invalid logon attempts.

       With a threshold of 0, user accounts will never lock out due to repeated failed logons.

   • Account lockout duration

     • Specifies in minutes how long the account stays locked.

     • If you’ve set the threshold to 0, this setting effectively becomes irrelevant. However, if you want to keep lockouts but only briefly, you could set a low duration (e.g. 1 minute).

   • Reset account lockout counter after

     • Defines how many minutes before Windows resets the failed-logon counter back to zero.

     • Again, if threshold = 0, you don’t need to adjust this.

   In short, for complete disablement:

   • Set Account lockout threshold = 0

   • The other two options will become greyed out once threshold is zero.

4. Apply the New GPO

   • On each Domain Controller, open an elevated Command Prompt or PowerShell and run:

      

     gpupdate /force

     This forces the policy to update immediately.

   • Member computers in the domain will receive the updated policy automatically within a few minutes (or after their next GPUpdate/ reboot).

2. If the Server Is a Stand-alone or Member Server (Local Policy)

1. Open Local Security Policy

   • Press Start, type secpol.msc, and press Enter.

   • (Alternatively: Server Manager → Tools → Local Security Policy.)

2. Navigate to “Account Lockout Policy”
   In the Local Security Policy console, browse to:

    

   Security Settings

   └─ Account Policies

     └─ Account Lockout Policy

3. Modify the Settings
   – Account lockout threshold: Set this to 0 invalid logon attempts to disable lockouts.
   – Account lockout duration and Reset account lockout counter after: You don’t need to change these if the threshold is 0.

4. Apply

   • Click Apply or OK. The change takes effect immediately.

   • If you want to be certain, run gpupdate /force from an elevated Command Prompt.

3. Alternative: Using PowerShell or Command Prompt (for Stand-alone)

If you prefer a command-line approach:

1. Open an elevated PowerShell or Command Prompt

   • Right-click on PowerShell/Command Prompt → Run as Administrator.

2. Execute the Command to Disable Lockout

    

   net accounts /lockoutthreshold:0

   This sets the “Account lockout threshold” to 0, which effectively disables account lockouts.

   • To view current settings, run:

      

     net accounts

     You’ll see something like:

      

     Account lockout threshold: 0 invalid logon attempts Account lockout duration: Never Lockout observation window: Never

4. Security Considerations

• Risk of Brute-Force Attacks:
  Disabling account lockout entirely allows unlimited failed attempts, making your server more vulnerable to brute-force or dictionary attacks. If this server is exposed (for example, RDP accessible from the Internet), consider carefully whether you want to remove lockout completely.

  • As an alternative, you could set a higher threshold (e.g. 10–15 invalid attempts) and keep a short lockout duration (e.g. 1–5 minutes). That way, occasional mistyped passwords won’t lock users out permanently, but you still have some protection against an attacker attempting hundreds of guesses.

• Hidden Sources of Failed Attempts:
  Even if you reduce the lockout threshold, you might see accounts locking themselves because of:

  1. Mapped network drives using stale credentials.

  2. Scheduled tasks running under a user’s account with an outdated password.

  3. Windows services configured to run under that user’s account.

  4. Mobile devices or email clients (e.g. Outlook on phone) attempting to sync with an old password.

  • If you notice repeated lockouts, check whether any of the above are still trying to authenticate with the old password. Updating or removing those stored credentials often fixes the problem without disabling lockout entirely.

Quick Summary (Stand-alone / Member Server)

1. Open Local Security Policy (secpol.msc).

2. Go to Account Policies → Account Lockout Policy.

3. Set Account lockout threshold = 0.

4. Click Apply/OK (then optionally run gpupdate /force).

Quick Summary (Domain Controller)

1. Open Group Policy Management → edit the GPO that controls account lockout (e.g. Default Domain Policy).

2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy.

3. Set Account lockout threshold = 0.

4. Click Apply/OK, then run gpupdate /force on the DC(s) or wait for the policy to propagate.

Once these steps are complete, accounts will no longer lock out due to multiple failed logon attempts. If you’d rather just make lockouts less frequent rather than remove them entirely, increase the threshold (for example, to 10) and set a short lockout duration (for example, 5 minutes).