How to configure Remote Access Client Account Lockout in Windows Server

Businesses that deploy Windows Server to manage computers and other policies are crucial.  The nice part about managing servers is that you don’t have to be physically around them. You can always remotely log in to the server from anywhere. That means somebody else can also try to login as well.  In this post, we will share how you can configure Remote Access Client Account Lockout in Windows Server using the Registry method.

Configure Remote Access Client Account Lockout

If you are wondering why there is a lockout setup in place, then it is to make sure to keep attackers at bay. Once you design, it will make sure to keep attackers who do guesswork and those who perform a dictionary attack. It can happen to a valid user who doesn’t remember the exact password. The lockout makes sure that the user will not be able to try to attack for some time, making the overall security better.

However, it can also lock out legitimate users, which can be annoying. This post will also show how to manually unlock a remote access client.

Configure the registry settings accordingly, depending on what you are using for authentication.  If you are using Microsoft Windows Authentication, then configure the registry on the Remote Access Server. But if you are using RADIUS for RAS, then configure it on Internet Authentication Server or IAS.

Here is the list of things we will configure:

• Number of failed attempts before lockout
• The time after which the lockout counter is reset

Make sure to take a backup of the registry before making any changes.

Enable Remote Access Client Account Lockout

To enable Remote Access Client Account Lockout, follow these steps:

1. Press Win+R > type regedit > hit the Enter button.
2. Navigate to AccountLockout in HKLM.
3. Double-click on MaxDenials.
4. Enter a value above 0.
5. Double-click on ResetTime (mins).
6. Enter a value in Decimal format.
7. Click the OK button.
8. Close all windows and restart your PC.

To learn more about these steps, continue reading.

To get started, you need to open the Registry Editor. For that, press Win+R to open the Run prompt, type regedit, and hit Enter.

Then, navigate to this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

Double-click on the MaxDenials REG_DWORD value and set a Value data that is above 0.

Set the value to anything above zero, which will also mean it is the number of failed attempts. So, if you set it to two, the third attempt will result in a lockout. Click OK to confirm.

Next, double-click on the ResetTime (mins) value, which is in hexadecimal. However, it is suggested to opt for the Decimal option and set the value accordingly for better convenience.

The default value is two days, so make sure to set it according to your company’s policy.

Click the OK button, close all windows, and restart your PC.

Registry Editing to manually unlock a Remote Access Client

Assuming you have a locked account, and you need to unlock it because the lockout timeout is pretty long. Every time a user is locked out, an entry is made into it in the format of DomainName:UserName. To remover the lock, you need to delete it.

• Open the Registry  Editor and navigate to the following path.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

• Find the Domain Name:User Name value, and then delete the entry.
• Quit Registry Editor and check if the user account is able to login with the right credentials.

That’s about it. Always make sure to back up registry settings before you make any changes.

I hope the post gave you clear insight into how to configure lockout and unblock a remote client.