Configuring remote access client accounts for lockout
Here’s the procedure for configuring remote access client accounts for lockout. Keep in mind that the account lockout for remote access accounts is managed differently than the Active Directory user account lockouts. If you are using Windows authentication on your RAS server then edit the registry on that server, if you are using RADIUS authentication then you need to configure the registry on the RADIUS (IAS) server. Here’s the step-by-step procedure.
1. Run regedt32.exe
2. Go to HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout. By default the MaxDenials value is set to 0 (i.e. account lockout is disabled). Enter a new value (e.g. 3) for MaxDenials to configure the number of failed attempts before the account is locked out.
3. Double-click “ResetTime (mins)” and enter a new value in minutes. The default value in hexadecimal is 0xb40 (2,880 minutes), or two days. You could leave this value alone so once the account is locked out it won’t be reset for at least two days. Or you can enter a shorter time period, such as 60 minutes, to unlock the account automatically after one hour.
4. You could wait for the timer to reset the account lockout parameter, depending on the value you configured, or you can manually unlock the account. To manually unlock the remote access user’s account you’ll have to delete the registry key HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout.