Home Premium Lockout Threshold and Lockout Duration

[Guest]

I would like to modify the Lockout Threshold and Lockout Duration in my copy
of Vista Home Premium, yet the Group Policy manager is not included with this
edition of the OS. I have found successful references to the command line
command "net accounts" for adjusting the password expiration, but am unable
to adjust lockout settings.

Additionally, I have found no useful references in the Group Policy
spreadsheet published by MS
(http://www.microsoft.com/downloads/...9b-3328-4350-ade1-c0d9289f09ef&DisplayLang=en)

Is there a way to do this from the command line?

Thoughts? Suggestions?

 

[Richard G. Harper]

If you open an elevated command prompt and type "net accounts /?" you will
be shown what parameters can be adjusted with the NET command. If the ones
you want to modify aren't listed then they cannot be modified with the NET
command.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Ronnie Vernon MVP]

Travelvice

The Group Policy settings for this policy are in that reference. Look under
the 'Security Settings' tab at the lower/left of the workbook.

It appears that there is no relevant command line or registry setting for
these policies.

There is an article on undocumented 'net account' switches, but I believe
this is only available in a domain and there is no documentation that these
switches will work in Vista or even XP.

INFO: Undocumented "Net Accounts" Switches:
http://support.microsoft.com/kb/194739

It appears that these 'undocumented' switches were dropped after win2000.

You can still use the 'net accounts' command to get the current state of the
/lockoutthreshhold, /lockoutduration, and /lockoutwindow policies.

There just doesn't appear to be any way to change these settings except in
the group policy or security policy snap-ins?

 

[Jimmy Brush]

Hello,

There is a way to do this from the command line. It is a bit obtuse, but it
works .

OBLIGATORY WARNING: Improperly changing these settings could render your
computer inoperable.

Step 1 - Create the settings file

- Open notepad
- Copy and paste the following text (between the lines - don't include the
lines) into notepad

---------------------
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
LockoutBadCount = 0
ResetLockoutCount = 0
LockoutDuration = 0
----------------------

- Change the settings to what you want. Here's a quick and dirty explanation
of the settings:

LockoutBadCount is the account lockout threshold. It is the number of
attempts a user has before their account is locked out. A value of 0 means
unlimited.

LockoutDuration is the account lockout duration. It is the number of minutes
that the account is locked out once a lockout is triggered. If you set
LockoutBadCount, this must have a meaningful value. A value of 0 means that
the account is locked out until an administrator resets it.

ResetLockoutCount is the "Reset account lockout counter after" setting. It
is the amount of time in minutes until the lockout count resets itself to 0
for a specific user after an unsuccessful login attempt. If you set
LockoutBadCount, this must have a meaningful value (between 1 and 99999).

It is recommended that LockoutDuration and ResetLockoutCount have the same
value (unless LockoutDuration is 0).

- In notepad, save the file to your desktop with a filename of sec.txt

Step 2 - Load the settings

- Click start
- Type: cmd.exe
- Right-click cmd.exe when it appears under the "programs" heading
- click Run As Administrator
- In the command prompt, type the following commands exactly as they appear:

cd /d %userprofile%\desktop
secedit /configure /db sec.db /cfg sec.txt /areas securitypolicy

- You should receive a message saying the task has completed successfully
- You can now delete the sec.db and sec.txt files on your desktop

That should do it.

BONUS TIP: You can see all the security settings as they are currently
configured on your computer by issuing this command in an elevated command
prompt:

secedit /export /cfg sec.txt /areas securitypolicy

This will create a settings file named sec.txt with your security policy
settings. You can then load this file into the computer with this command:

secedit /configure /db sec.db /cfg sec.txt /areas securitypolicy

Note again the warning about messing up your computer by changing these
settings.

 

[Jimmy Brush]

Hello Ronnie,

These commands still work. (Of course, I figure this out after finding
another more complicated method of changing these values...)

Commands are:

net accounts /lockoutthreshold:X
net accounts /lockoutwindow:X
net accounts /lockoutduration:X

Where X is a number that is applicable for the policy setting.

 

[Jimmy Brush]

Actually,

Ronnie's method still works in Vista.

From an elevated command prompt:

net accounts /lockoutthreshold:X
net accounts /lockoutwindow:X
net accounts /lockoutduration:X

Where X is a number that is applicable for the policy setting.

 

[Ronnie Vernon MVP]

Hi Jimmy

Thanks, I see now that I was using an invalid number when I tested this.

BTW, good to see you posting here again.

 

[Jimmy Brush]

Thanks, it's good to be back

- JB

Hi Jimmy

Thanks, I see now that I was using an invalid number when I tested this.


BTW, good to see you posting here again.