Account Lockout locks a user account if a number of failed logon attempts occur within a specified amount of time. Account Lockout is a useful and important security feature. This article provides how to enable an account lockout and enable auditing for the lockout by using a Microsoft program. LAlarm also provides a similar (and simplified) tool to enable account lockout and account policy. If you’d like to use the LAlarm tool instead, please see the manual.
- For Vista Business, Ultimate, Windows 7 Pro, Windows 7 Ultimate and XP Pro
- For Vista Home and Windows 7 Home
- For XP Home
- How To Verify Settings?
- Run secpol.msc
- Select Account Policies / Account Lockout Policy.
- Specify lockout duration and threshold. For example, enter 30 minutes for Account lockout duration value. Enter 4 for Account lockout threshold value. It means 4 invalid logon attempts will trigger an account lockout. For “Reset account lockout counter after” value, you can enter the same number as the threshold or refer to the Microsoft Windows local security policy guideline.
Note: secpol.msc is a Local Security Policy tool. You can also run it by selecting Start / Settings / Control Panel / Administrative Tools / Local Security Policy.
Enabling Audit Policy For Account Lockout
- Run secpol.msc
- Select Local Policies and Audit Policy.
- Double click on “account management” and select Success, Failure.
For Vista Home Edition and Windows 7 Home Edition
Vista Home edition and Windows 7 Home edition do not have secpol.msc, thus you have to use an alternative way. You can use the LAlarm account lockout tool described in the product manual if you are using English edition of Windows. Or you can contact your network administrator for help if you have one. If you are using non-English Windows, contact LAlarm Tech Support or your administrator for a help.
- Enable lockout and audit policy for account management
- Restart the computer
- Enter wrong password (or user name) at the logon prompt repeatedly
- Wait until lockout is ended.
- Check the security events (eventvwr.msc) to see if the lockout event is recorded. The setting is correct if there is an account lockout event recorded in the security events.