Windows Local Security Settings Console - Use it for better password and account management - All settings and instructions

Windows Local Security Settings Console - Use it for better password and account management - All settings and instructions
Page content

Windows Password Security Policies / Account Lockout Policies

We first need to open Windows Local Security Settings Console. To do this, press Windows key + R together, then type in “secpol.msc” and click on OK.

A new window will open, now click on “Password Policy”. Now, we can change settings for the following options:

Enforce password history

We often change our passwords to ensure better security but what benefit would password changing give if we change the password to the old ones? New and different password gives us confidence because old password no longer exists, which perhaps, anyone else had secretly stolen. The “Enforce password history” setting determines how many new passwords must be created first for a particular user, before the old passwords can be reused. Many users often change their passwords to the old ones; this setting will help restrict this. The recommended value for this setting is 4-5.

Minimum password age

This value determines for how long a new password can be used before a new one can be chosen. This option can be used along with ‘Enforce password history’ option, which can help restricting users re-using passwords too frequently. The default value is 0, which means new password can be set immediately but it is not recommended, a few days should be better for this setting.

Maximum password age

Password must be changed about every 30 days. This value specifies number of days a password can be used before it will expire. If you set it to 0, it will mean the password will never expire but it is not recommended.

Minimum password length

Force users to make their passwords with at least 6 alphanumeric characters, the longer the password, the harder it is to guess. Value for this setting range from 0 to 14

Password must meet complexity requirements

Set it to enable so that users must create passwords that meets certain complexity requirements.

For instructions on creating passwords that would meet complexity requirements, which are also unbreakable, read this guide: How To Create Unbreakable Passwords

Following the above will help you forcing users to create stronger and tougher to crack passwords but it will still not prevent someone from repeatedly trying to logon if they know the username at least. This is where we can take advantage from Account lockout policy.

We will now see how Account lockout policy can be used. Now open the Account lockout policy from Windows Local Security Policy and change settings for the following.

Account lockout threshold

This setting specifies number of failed attempts before the account will be locked. If value is set to 0, the account will never lockout. Recommended value is 3 for failed number of attempts before account will be locked out.

Account lockout duration

The locked account can be unlocked automatically, after specified number of minutes has passed. With a value set to 0, the account will remain unlocked until the administrator unlocks it, no one other than administrator would be able to unlock it. Any number higher than 0 will unlock the account after ’n’ minutes.

Note: The value for this setting should be higher than the value for ‘Reset account lockout after’

Reset account lockout counter after

Setting for this option resets the counter for failed logon attempts, after the specified number of minutes of account lockout threshold has been passed. Value for this option can be set up to 9999, I personally would recommend 60 minutes.