Skip to main content

How to Set Account Lockout Policy in Batch Script

An "Account Lockout Policy" is a collection of security rules that determine how your system handles failed password attempts. This policy is the cornerstone of defense against "Brute Force" and "Dictionary" attacks, protecting your local users from being compromised by automated guessing tools. By configuring the threshold (how many tries allowed), the window (the time between tries), and the duration (how long the user is blocked), you create a robust security net.

This guide explains how to use the net accounts command to define your account lockout policy via a Batch script.

The Three Pillars of a Lockout Policy

To have a complete policy, you must set three different parameters:

  1. Threshold (/lockoutthreshold): The number of bad passwords allowed before the account locks.
  2. Window (/lockoutwindow): The number of minutes that must pass before the failed attempt counter resets to zero.
  3. Duration (/lockoutduration): The number of minutes an account remains locked before it automatically unlocks (use 0 for "Manual Unlock Required").
Domain vs. Workgroup

These commands manage the Local computer policy. If your machine is part of an Active Directory domain, these settings are typically controlled and overwritten by the Domain Controllers.

Method: Configuring a Complete Lockout Policy

The net accounts command allows you to set all three pillars of the policy in a single line of code.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

:: Threshold: 5 attempts
:: Window: 30 minutes
:: Duration: 30 minutes

echo [PROCESS] Applying Global Account Lockout Policy...

net accounts /lockoutthreshold:5 /lockoutwindow:30 /lockoutduration:30

if %errorlevel% equ 0 (
    echo [SUCCESS] Security policy updated:
    echo   - Lockout after:  5 failed attempts
    echo   - Counter resets: 30 minutes
    echo   - Locked for:     30 minutes
) else (
    echo [ERROR] Failed to update policy. Code: %errorlevel%
    echo [HELP] Ensure the duration is greater than or equal to the window.
)
pause

Creating a Policy Standardizer Script

A professional administrator uses a script to show current settings, apply the hardened policy, and verify the result.

@echo off
setlocal

echo ============================================================
echo   Local Security Policy Standardizer
echo ============================================================

:: 1. Verify Administrative Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Admin rights REQUIRED for account configuration.
    pause
    exit /b 1
)

:: 2. Show current settings before changes
echo.
echo [BEFORE] Current Lockout Policy:
net accounts 2>nul | findstr /i /c:"Lockout"
echo.

:: 3. Configure Settings
echo [STEP 1/2] Enforcing 5-attempt threshold...
net accounts /lockoutthreshold:5 >nul
if %errorlevel% neq 0 (
    echo   [FAIL] Could not set threshold.
    pause
    exit /b 1
)
echo   [PASS] Threshold set to 5 attempts.

echo [STEP 2/2] Enforcing timing rules (Window: 15m, Duration: 60m^)...
net accounts /lockoutwindow:15 /lockoutduration:60 >nul
if %errorlevel% neq 0 (
    echo   [FAIL] Could not set timing rules.
    echo   [HELP] Duration must be >= Window. (60 >= 15: OK^)
    pause
    exit /b 1
)
echo   [PASS] Window: 15 minutes, Duration: 60 minutes.

:: 4. Verify the changes
echo.
echo [AFTER] Updated Lockout Policy:
net accounts 2>nul | findstr /i /c:"Lockout"

echo.
echo [SUCCESS] Policy standardization complete.
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Setting security policies is a highly restricted operation. You must run your Batch script (and the CMD window) as an Administrator.

Duration Must Be >= Window

Windows enforces a logic rule: The Lockout Duration must be greater than or equal to the Lockout Window.

Wrong Way:

net accounts /lockoutwindow:60 /lockoutduration:10
:: Result: "The value of lockoutduration must be greater than or equal to lockoutwindow."

Correct Way: Always ensure your duration is the same or longer than your reset window.

Threshold Must Be Set First

The /lockoutwindow and /lockoutduration options only work if a lockout threshold has already been set. If no threshold exists, these timing options will fail.

SEO and UX Tip

Advise your users that for maximum security, the Lockout Duration can be set to 0. This means the account stays locked permanently until an IT administrator manually unlocks it, preventing an attacker from simply waiting 30 minutes and trying again.

Best Practices for Policy Management

  1. Monitor the Logs: When a policy is triggered, check the Security Event Log for Event ID 4740 to see which computer the attack originated from.
  2. Combine with Password Length: A lockout policy is most effective when paired with a strong minimum password length (recommended: 10+ characters).
  3. Audit Regularly: Periodically run your script to ensure that "Configuration Drift" (manual changes by users) hasn't weakened your local security perimeter.
User Lockouts

Be aware that a strict policy (like a 3-attempt threshold) can lead to a high volume of support calls from legitimate users who simply mistyped their passwords. Balance security with operational usability.

Conclusion

Setting an account lockout policy via Batch script is an essential task for any professional administrator maintaining a secure Windows environment. By utilizing the net accounts utility to automate the configuration of thresholds and timing rules, you can ensure that your workstations and servers are resistant to modern brute-force attacks. This professional approach to system hardening reduces risk, simplifies compliance auditing, and provides a clear, automated mechanism for enforcing your organization's security standards across the entire Windows ecosystem.

Table of Contents