Account lockout duration
|ID: oval:org.secpod.oval:def:36555||Date: (C)2016-08-05 (M)2017-11-21|
|Class: COMPLIANCE||Family: windows|
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Configure the Account lockout duration setting to an appropriate value for your environment. To specify that the account will remain locked until an administrator manually unlocks it, configure the value to 0. When the Account lockout duration setting is configured to a non-zero value, automated attempts to guess account passwords must wait for this interval before they resume attempts against a specific account. Using this setting in combination with the Account lockout threshold setting makes automated password guessing attempts more difficult.
Although it may seem like a good idea to configure this policy setting to never automatically unlock an account, such a configuration can increase the number of requests that your organization's help desk receives to unlock accounts that were locked by mistake.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_SecuritySettingNumeric#Setting#KeyName='LockoutDuration' And precedence=1
|Microsoft Windows 10|