Windows Server Lockout policy based on Username

Windows Server Lockout policy based on Username

To lock out an account for a period of time after a number of incorrect login attempts you can set up Account Lockout Policies in Windows.

Note:  This does NOT apply to the Administrator account (so you may want to disable the Administrator account and create a different account with administrator rights.

Lockout policies can be useful to prevent brute-force password guessing attacks but can cause your accounts to be locked out without you being able to access the server (so plan accordingly).

Here are two methods of performing this task!

via Local Security Policy Editor

  1. To open Local Security Policy, on the Start screen, type secpol.msc, and then press Enter.
  2. Under Security Settings of the console tree, click Account Policies
  3. Click Account Lockout Policy and set values for the three options that you want to modify.
  4. Modify the security policy setting, and then click OK.

via Group Policy Editor

  1. To open Group Policy Editor console, on the Start screen, type gpedit.msc, and then press Enter.
  2. In the console tree, click Computer Configuration, click Windows Settings, and then click Security Settings.
  3. Click Account Policies to edit the Account Lockout Policy.
  4. In the details pane, double-click the security policy setting that you want to modify.
  5. Modify the security policy setting, and then click OK.

To unlock an account

If a legit user is locked out, login under an active account (with administrator properties), go to the locked out user's properties, and uncheck the box "account is locked out".

You can see detailed status of a user account by opening the command prompt and type:

C:\> net user <username>