Home Premium Lockout Threshold and Lockout Duration

Discussion in 'Windows Vista Administration' started by travelvice, Nov 9, 2007.

  1. travelvice

    travelvice Guest

    I would like to modify the Lockout Threshold and Lockout Duration in my copy
    of Vista Home Premium, yet the Group Policy manager is not included with this
    edition of the OS. I have found successful references to the command line
    command "net accounts" for adjusting the password expiration, but am unable
    to adjust lockout settings.

    Additionally, I have found no useful references in the Group Policy
    spreadsheet published by MS
    (http://www.microsoft.com/downloads/...9b-3328-4350-ade1-c0d9289f09ef&DisplayLang=en)

    Is there a way to do this from the command line?

    Thoughts? Suggestions?
     
    travelvice, Nov 9, 2007
    #1
    1. Advertisements

  2. If you open an elevated command prompt and type "net accounts /?" you will
    be shown what parameters can be adjusted with the NET command. If the ones
    you want to modify aren't listed then they cannot be modified with the NET
    command.

    --
    Richard G. Harper [MVP Shell/User]
    * NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
    * PLEASE post all messages and replies in the newsgroups
    * The Website - http://rgharper.mvps.org/
    * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
     
    Richard G. Harper, Nov 9, 2007
    #2
    1. Advertisements

  3. Travelvice

    The Group Policy settings for this policy are in that reference. Look under
    the 'Security Settings' tab at the lower/left of the workbook.

    It appears that there is no relevant command line or registry setting for
    these policies.

    There is an article on undocumented 'net account' switches, but I believe
    this is only available in a domain and there is no documentation that these
    switches will work in Vista or even XP.

    INFO: Undocumented "Net Accounts" Switches:
    http://support.microsoft.com/kb/194739

    It appears that these 'undocumented' switches were dropped after win2000.

    You can still use the 'net accounts' command to get the current state of the
    /lockoutthreshhold, /lockoutduration, and /lockoutwindow policies.

    There just doesn't appear to be any way to change these settings except in
    the group policy or security policy snap-ins?
     
    Ronnie Vernon MVP, Nov 9, 2007
    #3
  4. travelvice

    Jimmy Brush Guest

    Hello,

    There is a way to do this from the command line. It is a bit obtuse, but it
    works :).

    OBLIGATORY WARNING: Improperly changing these settings could render your
    computer inoperable.

    Step 1 - Create the settings file

    - Open notepad
    - Copy and paste the following text (between the lines - don't include the
    lines) into notepad

    ---------------------
    [Version]
    signature="$CHICAGO$"
    Revision=1
    [System Access]
    LockoutBadCount = 0
    ResetLockoutCount = 0
    LockoutDuration = 0
    ----------------------

    - Change the settings to what you want. Here's a quick and dirty explanation
    of the settings:

    LockoutBadCount is the account lockout threshold. It is the number of
    attempts a user has before their account is locked out. A value of 0 means
    unlimited.

    LockoutDuration is the account lockout duration. It is the number of minutes
    that the account is locked out once a lockout is triggered. If you set
    LockoutBadCount, this must have a meaningful value. A value of 0 means that
    the account is locked out until an administrator resets it.

    ResetLockoutCount is the "Reset account lockout counter after" setting. It
    is the amount of time in minutes until the lockout count resets itself to 0
    for a specific user after an unsuccessful login attempt. If you set
    LockoutBadCount, this must have a meaningful value (between 1 and 99999).

    It is recommended that LockoutDuration and ResetLockoutCount have the same
    value (unless LockoutDuration is 0).

    - In notepad, save the file to your desktop with a filename of sec.txt

    Step 2 - Load the settings

    - Click start
    - Type: cmd.exe
    - Right-click cmd.exe when it appears under the "programs" heading
    - click Run As Administrator
    - In the command prompt, type the following commands exactly as they appear:

    cd /d %userprofile%\desktop
    secedit /configure /db sec.db /cfg sec.txt /areas securitypolicy

    - You should receive a message saying the task has completed successfully
    - You can now delete the sec.db and sec.txt files on your desktop

    That should do it.

    BONUS TIP: You can see all the security settings as they are currently
    configured on your computer by issuing this command in an elevated command
    prompt:

    secedit /export /cfg sec.txt /areas securitypolicy

    This will create a settings file named sec.txt with your security policy
    settings. You can then load this file into the computer with this command:

    secedit /configure /db sec.db /cfg sec.txt /areas securitypolicy

    Note again the warning about messing up your computer by changing these
    settings.
     
    Jimmy Brush, Nov 11, 2007
    #4
  5. travelvice

    Jimmy Brush Guest

    Hello Ronnie,

    These commands still work. (Of course, I figure this out after finding
    another more complicated method of changing these values...)

    Commands are:

    net accounts /lockoutthreshold:X
    net accounts /lockoutwindow:X
    net accounts /lockoutduration:X

    Where X is a number that is applicable for the policy setting.
     
    Jimmy Brush, Nov 11, 2007
    #5
  6. travelvice

    Jimmy Brush Guest

    Actually,

    Ronnie's method still works in Vista.

    From an elevated command prompt:

    net accounts /lockoutthreshold:X
    net accounts /lockoutwindow:X
    net accounts /lockoutduration:X

    Where X is a number that is applicable for the policy setting.
     
    Jimmy Brush, Nov 11, 2007
    #6
  7. Hi Jimmy

    Thanks, I see now that I was using an invalid number when I tested this. :(

    BTW, good to see you posting here again. :)
     
    Ronnie Vernon MVP, Nov 12, 2007
    #7
  8. travelvice

    Jimmy Brush Guest

    Thanks, it's good to be back :)

    - JB

     
    Jimmy Brush, Nov 12, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.