Home Guides Disable or Change Windows Server Account Lockout

Disable or Change Windows Server Account Lockout

Last updated on Nov 02, 2025

When attempting to connect to your Windows Server via Remote Desktop, you may encounter this security error:

"As a security precaution, the user account has been locked out because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support."

This occurs when Windows Server's default security policy temporarily locks accounts after multiple failed login attempts, preventing unauthorised access attempts while potentially blocking legitimate users.

Understanding Account Lockout Policies

Windows Server implements account lockout policies as a security measure against brute-force attacks. The system tracks failed login attempts and temporarily disables accounts that exceed the configured threshold. These policies include:

  • Account lockout threshold: Number of failed attempts before lockout

  • Account lockout duration: How long the account remains locked

  • Reset account lockout counter after: Time before the failed attempt counter resets

Solution: Modify Account Lockout Settings

Access Local Security Policy

  1. Use Onidel Console feature to access to the Windows.

  2. Click the Start button or press the Windows key

  3. Type secpol.msc or search for Local Security Policy

  4. Run the application as Administrator

Navigate to Account Lockout Settings

  1. In the Local Security Policy window, expand Account Policies in the left panel

  2. Select Account Lockout Policy

  3. You'll see three configurable settings in the right panel

Configure the Settings

Option 1: Disable Account Lockout (Less Secure)

  • Double-click Account lockout threshold

  • Set the value to 0 (zero)

  • Click OK to apply

  • This completely disables account lockouts, allowing unlimited login attempts

Option 2: Adjust Lockout Parameters (Recommended)

  • Account lockout threshold: Set to a reasonable number (e.g., 5-10 attempts)

  • Account lockout duration: Configure in minutes (e.g., 30 minutes)

    • Set to 0 for manual unlock only by administrator

    • Set to a specific value for automatic unlock after that duration

  • Reset account lockout counter after: Set the time window for counting attempts (e.g., 30 minutes)

Apply Changes

After modifying the settings:

  1. Click OK to save each setting

  2. Close the Local Security Policy window

  3. Changes take effect immediately - no restart required

Security Considerations

While disabling or reducing account lockout restrictions improves accessibility, consider these security implications:

  • Disabling lockouts (threshold = 0) removes protection against brute-force attacks

  • Short lockout durations may not sufficiently deter automated attacks

  • High thresholds reduce security but minimise accidental lockouts

For production servers, we recommend:

  • Maintain a threshold of 5-10 attempts

  • Set lockout duration to 15-30 minutes

  • Use complex passwords to reduce the likelihood of successful attacks

  • Consider implementing additional security layers like IP whitelisting or VPN access