Sysadmins and all Windows users can now block brute force attacks on their computer’s local Administrator account. Previously, this feature was not available for the built-in Administrator account, and anyone could enter the wrong credentials for this account as many times as they liked, and get away with it.
A brute force attack is a trial-and-error technique used to guess the credentials and log into a system. However, Microsoft has now added a Group Policy to all Windows versions named “Allow Administrator account lockout,” which is an account lockout policy applicable to the local Administrator account.
Previously, this policy was only available for Windows 11. However, now, this is available for all versions, including Windows 10. Furthermore, now, this policy is enabled by default.
This means, if you have configured the “Account lockout threshold” policy and incorrect credentials are entered in the same amount of time, the account will be locked and the user will be unable to enter more credentials.
Let us now discuss the policy in depth and see how to configure it.
What is “Allow Administrator Account Lockout” GPO
The “Allow Administrator account lockout” policy was earlier added to Windows 11 only but had recently been integrated into other versions as well.
By enabling this Group Policy, the local Administrator account (if enabled) will automatically lock for a set period after a set number of failed sign-in attempts within a set amount of time.
We use the word “set” because these values are configurable. By default, the Administrator account will lock itself for 10 minutes when the said number of wrong attempts is entered within 10 minutes. However, these values are changeable.
The “Allow Administrator account lockout” group policy can be found at the following path inside the Group Policy editor:
Local Compter Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy
Let us now show you how to configure this policy to keep your computer safe from brute force attacks and unauthorized remote logins.
How to Configure Administrator Account Lockout Policy in Windows
If you go ahead and try to configure the “Allow Administrator account lockout” policy, you will find that the options are grayed out (when no other configuration is done.)
This is because this policy is dependent upon the “Account lockout threshold” policy, which needs to be configured first. Its default value is “0,” which means that the account lockout policy is disabled.
Moreover, 2 more GPOs work in coherence to form the Administrator account lockout policy. Here are the details for these policies:
-
Account lockout duration
The time (in minutes) for when the user will be unable to sign back in, even with the correct credentials.
Range: 0-99,999 minutes.
-
Account lockout threshold
Defines how many tries before the Administrator account is locked and no more login attempts are granted.
Range: 0-999
-
Allow Administrator account lockout
Whether the Administrator account will be locked out or not.
-
Reset account lockout counter after
Defines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
Range: 1-99,999 minutes.
Now that you understand what each of these policies is for, follow these steps to configure your local Administrator account to lockout:
-
Open the Group Policy editor by typing in gpedit.msc in the Run Command box.
Open Group Policy editor -
Now navigate to the following from the left pane:
Local Compter Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy
-
Now double-click the policy “Account lockout threshold” in the right pane, and set the number of wrong attempts you want to allow before the Administrator account locks itself.
Set account lockout threshold Click Apply and Ok when done.
-
Now make sure that the “Allow Administrator account lockout” policy is enabled (default value). If not, double-click it and Enable it.
Note: If you do not want the Administrator account to lock out but want only the other accounts, then set this policy to Disabled.
Enable Administrator account lockout -
Double-click “Account lockout duration” and now enter the time you want the Administrator to lock itself for.
Set time to lock account for Click Apply and Ok when done.
-
Now double-click “Reset account lockout counter after” and enter the time you want the threshold counter to reset to 0.
Note: This value should be less than or equal to the value for “Account lockout duration.”
Set time to reset threshold counter to 0 Click Apply and Ok when done.
-
Now that all policies have been configured, run the following cmdlet in an elevated Command Prompt to enforce the new policies:
GPUpdate /Force
Enforce new group policies
Your local Administrator account will now automatically lock itself and deny any login attempts when incorrect login attempts are made that satisfy your policy configurations.
If you want to disable this feature in the future, all you need to do is change the value for “Account lockout threshold” to 0, and all other policies will return to their default values automatically.
Final Analysis
Having an added layer of security is always beneficial. By configuring the local Administrator account to lockout, you keep an intruder from entering the computer account with the most elevated privileges.
Even if an attacker were to succeed and eventually enter the correct password, it would now take them much longer to achieve that goal, since the account will be locked out for several minutes.
