Account lockout durationID: oval:org.secpod.oval:def:79717 | Date: (C)2022-05-07 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Counter Measure:
Configure the Account lockout duration setting to an appropriate value for your environment. To specify that the account will remain locked until an administrator manually unlocks it, configure the value to 0. When the Account lockout duration setting is configured to a non-zero value, automated attempts to guess account passwords must wait for this interval before they resume attempts against a specific account. Using this setting in combination with the Account lockout threshold setting makes automated password guessing attempts more difficult.
Potential Impact:
Although it may seem like a good idea to configure this policy setting to never automatically unlock an account, such a configuration can increase the number of requests that your organizations help desk receives to unlock accounts that were locked by mistake.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_SecuritySettingNumeric#Setting#KeyName=LockoutDuration And precedence=1
Platform: |
Microsoft Windows 11 |