Configure remote access client account lockout Print

The failed attempts counter is periodically reset to zero (0). It's automatically reset to zero after the reset time in the following situation:

An account is locked out after the maximum number of failed attempts.

To activate remote access client account lockout and reset time, follow these steps:

1. Select Start > Run, type regedit in the Open box, and then press ENTER.

2. Locate and then select the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

3. Double-click the MaxDenials value.

   The default value is zero. It indicates that account lockout is turned off. Type the number of failed attempts before you want the account to be locked out.

4. Select OK.

5. Double-click the ResetTime (mins) value.

   The default value is 0xb40 that is hexadecimal for 2,880 minutes (two days). Modify this value to meet your network security requirements.

6. Select OK.

7. Quit Registry Editor.

If the account is locked out, the user can try to log on again after the lockout timer has run out. Or, you can delete the DomainName:UserName value in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

To manually unlock an account, follow these steps:

1. Select Start > Run, type regedit in the Open box, and then press ENTER.

2. Locate and then select the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

3. Find the Domain Name:User Name value, and then delete the entry.

4. Quit Registry Editor.

5. Test the account to confirm that it's no longer locked out.

Note: Must Update Group Policy 

Open Command Prompt in the Windows Recovery Environment, paste gpupdate /force in the terminal, and press Enter.

For more information about the remote access client lockout feature, see Account Lockout Policy. 

Artical