Data type Range Default value
REG_DWORD 0 | 1 0


Determines how many attempts to authenticate a user account can fail before the user is denied dial-in access to the server. Authentication fails when a user enters an incorrect password for a valid user name.

This entry also enables and disables the Account Lockout feature of Routing and Remote Access service. If the value of this entry is greater than 0, the Account Lockout feature is enabled on this computer. Otherwise, it is disabled.

When the number of denials (failed attempts) for an account exceeds the value of MaxDenials within the time specified by the value of ResetTime (mins), the user account is locked. The system does not process any subsequent dial-in authentication attempts until the value of ResetTime (mins) expires, or an administrator deletes the user's <domain>:<user-name> subkey or sets the value of Denials for that account to 0 (or less than the value of MaxDenials).

Consider increasing the value of this entry if your server is the target of malicious attempts to gain access to your system. However, because Account Lockout can prevent legitimate users from gaining access to their accounts, it should not be used unless it is needed.

Note Image Note

Account lockout prevents all dial-in access to a locked user account, not just access from the computer that submitted the failed authentication.

Tip Image Tip

To disable Account Lockout or reset all user denial counts to 0 while the server is running, set the value of MaxDenials to 0. If you delete the AccountLockout subkey or the <domain>:<user-name> subkey for a user, the service does not detect the change until the system is restarted.

Related Entries

Page Image