Clarification on "Reset account lockout counter after" account policy setting timing

  • Last Post 02 March 2016
JasonH posted this 02 March 2016

Hello all,

The Microsoft description for the setting "Reset account lockout counter after" reads:
“This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. “


I’m curious if this means the length of time until the counter resets after the *first* failed logon attempt or the *most recent* failed logon attempt.

For example, assume the account lockout policies are as follows:

- Account lockout threshold:  3 invalid logon attempts

- Account lockout duration: 15 minutes

- Reset account lockout counter after: 15 minutes


Example scenario:

userA has a failed logon attempt at 8:00am, the counter will reset at 8:15am (because the Reset account lockout counter after is set to 15 minutes.)  But then userA has another bad logon attempt (the second of three invalid logon attempts) at 8:14am (a minute before the counter was to reset), does the counter now bump up by 15 minutes again to reset at 8:29am thus giving userA one more chance of my the original three until 8:29am? Or is the counter reset still set for the original 8:15am (15 minutes from the first invalid logon attempt?)

Order By: Standard | Newest | Votes
ZJORZ posted this 02 March 2016

It is the period of time after the last failed attempt

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto



Tel.: +31-(0)6-

(+++Sent from my mobile device +++)

(Apologies for any typos)


kennedyjim posted this 02 March 2016

I think of that setting as ‘total time frame a fail counts against you’.


So set at 15 minutes:


10:00 Fail

10:05 Fail

10:10 Fail

Locked out.



10:00 Fail

10:05 Fail

10:16 Fail

Not locked out and you currently have two strikes against you.

10:17 Fail

Now you got three, you are locked.