Accounts: Lockout duration must be configured to 15 minutes or greater


The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.


To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Account Lockout Policy
|_ "Account lockout duration" to "15" minutes or greater.

Stig: Server:
2019: /
2016: /

W10: /

Nist 800-53: AC-7, AC-19
Nist 800-171a: 3.1.8[a], 3.1.8[b]
Nist 800-171AR3: A.03.01.08, A.03.01.08.ODP[01] A.03.01.08.ODP[02]
CMMC v2.1: AC.L2-3.1.8
PCI DSS v3.2: 8.1.6, 8.1.7
PCI DSS v4.0: 8.3.4
CSCv7: 16.2, 16.11