The Account Lockout Policy is one of local security policies under Windows system, which controls how and when a user account will be locked out. If you know little about that, this guide will help you understand what Account Lockout Policy is.
The account lockout policy includes three items: Account lockout threshold, Account lockout duration and Reset account lockout counter after. You can open Local Security Policy to view that.
This policy configures the number of failed logon attempts that will cause account lockout. The value of this policy is set to 0 by default, which means the account will never be locked out no matter how many logon attempts are failed. You can change the value in the range of 0 ~ 999. For example, if you set the value to 3, your account will be locked out after three failed logon attempts.
This policy determines the number of minutes that must pass after a lockout before the account can be unlocked automatically. The value of this policy is not set by default and it can be set only when the value of Account Lockout Threshold is greater than 0. The value will be set to 30 minutes by default after you set the value of Account lockout threshold. You can change the value of Account Lockout Duration in the range of 0~99999 minutes; if the value is 0, the account will remain locked until an administrator unlocks it manually.
This policy determines the number of minutes that must pass after an invalid logon attempt before the counter resets to zero. I will give an example to help you better understand that. For example, if you have set this value to 30 minutes, and set the "Account Lockout Threshold" to 3, if a user tries three wrong attempts in this 30 minutes, the account will get locked out. If the user tries two wrong attempts in the 30 minutes and tries the third wrong attempt at 31 minutes, the account will not be locked. Because the counter is reset to 0 at 31 minutes and he gets 3 more chances.
By default, this policy is not defined, and cannot be set before the Account lockout threshold is configured. Its value will also be changed to 30 minutes by default after you configure the value of Account lockout threshold. You can change the value of "Reset Account Lockout Counter after" in the range of 0~99999 minutes, but make sure it is less than or equal to the account lockout duration.
