Session Lock Issue on Windows After Multiple Failed Login Attempts
Windows Server can lock user accounts or sessions after multiple failed login attempts as a security measure. This guide explains how to resolve and prevent this issue.
What Causes Session Lockout?
Windows automatically locks accounts after a specified number of failed login attempts to prevent brute force attacks. This can happen with:
- RDP (Remote Desktop) - Remote desktop connections
- File shares - SMB/CIFS connections
- Web applications - Applications using Windows authentication
- SSH - If using Windows OpenSSH server
Check Account Lockout Status
Method 1: Command Line
Open PowerShell or Command Prompt as Administrator:
# Check if account is locked
net user username
# Check lockout events in Event Viewer
Get-EventLog -LogName Security -InstanceId 4740 | Select-Object -First 10
Method 2: Event Viewer
- Open Event Viewer (eventvwr.msc)
- Navigate to Windows Logs → Security
- Look for Event ID:
- 4625 - Failed logon attempt
- 4740 - Account locked out
- 4771 - Kerberos pre-authentication failed
Solution 1: Unlock Account Manually
Using Command Line
# Unlock specific user
net user username /active:yes
Unlock-ADAccount -Identity username # For Active Directory
Using Computer Management
- Open Computer Management (compmgmt.msc)
- Navigate to Local Users and Groups → Users
- Right-click locked user → Properties
- Uncheck Account is disabled (if checked)
- Click OK
Using Active Directory (Domain)
- Open Active Directory Users and Computers
- Find the locked user account
- Right-click → Properties
- Go to Account tab
- Uncheck Account is locked out
- Click OK
Solution 2: Adjust Account Lockout Policy
View Current Policy
# View account lockout policy
secedit /export /cfg C:\policy.txt
type C:\policy.txt | findstr /i "lockout"
Or using Group Policy Editor:
- Open gpedit.msc (Local Group Policy Editor)
- Navigate to: Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
Modify Lockout Policy
- Open Local Security Policy (secpol.msc)
- Navigate to Account Policies → Account Lockout Policy
- Double-click Account lockout threshold
- Set number of invalid attempts (e.g., 10) or set to 0 to disable
- Configure:
- Account lockout duration - How long account stays locked (minutes)
- Reset account lockout counter after - Time before counter resets (minutes)
Recommended settings:
- Threshold: 5-10 invalid attempts
- Duration: 30-60 minutes
- Reset counter: 30-60 minutes
Using Command Line
# Set lockout threshold (0 = disabled)
net accounts /lockoutthreshold:10
# Set lockout duration (0 = until admin unlocks)
net accounts /lockoutduration:30
# Set reset time
net accounts /lockoutwindow:30
Solution 3: Identify Lockout Source
Check Event Logs
Find what's causing the lockouts:
# Filter lockout events
Get-EventLog -LogName Security -InstanceId 4740 -Newest 10 |
Format-List TimeGenerated, Message
# Check failed logon attempts
Get-EventLog -LogName Security -InstanceId 4625 -Newest 20 |
Where-Object {$_.Message -like "*username*"} |
Format-List TimeGenerated, Message
Common Causes
- Stored credentials - Old passwords in Credential Manager
- Scheduled tasks - Tasks using old passwords
- Services - Services running under user account with old password
- Mapped drives - Network drives with cached credentials
- Mobile devices - Phones/tablets with old passwords
Solution 4: Clear Stored Credentials
Windows Credential Manager
- Open Credential Manager (control /name Microsoft.CredentialManager)
- Go to Windows Credentials
- Remove all entries related to the server
- Go to Generic Credentials
- Remove related entries
Using Command Line
# List stored credentials
cmdkey /list
# Delete specific credential
cmdkey /delete:targetname
# Delete all credentials (use with caution)
cmdkey /list | ForEach-Object {cmdkey /delete:$_}
Solution 5: Check Services and Scheduled Tasks
Check Services
# Find services running under user account
Get-WmiObject Win32_Service |
Where-Object {$_.StartName -like "*username*"} |
Format-Table Name, StartName, State
Update service credentials if needed:
# Change service account
sc.exe config ServiceName obj= "DOMAIN\username" password= "password"
Check Scheduled Tasks
# Find tasks running under user account
Get-ScheduledTask |
Where-Object {$_.Principal.UserId -like "*username*"} |
Format-Table TaskName, Principal
Update task credentials in Task Scheduler if needed.
Solution 6: Disable Account Lockout (Not Recommended)
Only for testing or specific scenarios:
# Set threshold to 0 (disables lockout)
net accounts /lockoutthreshold:0
Warning: This reduces security. Only use in isolated environments.
Prevention
Best Practices
- Strong passwords - Use complex passwords to reduce guessability
- Password expiration - Enforce regular password changes
- Multi-factor authentication - Add 2FA/MFA where possible
- Monitor lockouts - Set up alerts for account lockout events
- Update credentials - Keep all stored credentials current
- Limit login attempts - Reasonable threshold (5-10 attempts)
Monitoring Script
Create a monitoring script to alert on lockouts:
# Monitor lockout events
$events = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1 -ErrorAction SilentlyContinue
if ($events) {
Write-Host "Account lockout detected: $($events[0].Message)"
# Send email alert, log to file, etc.
}
Troubleshooting Remote Desktop
If RDP is causing lockouts:
-
Check RDP settings:
- Right-click This PC → Properties → Remote settings
- Ensure "Allow remote connections" is enabled
-
Clear RDP cache:
# Delete RDP connection cache Remove-Item "$env:APPDATA\Microsoft\Terminal Server Client\Cache\*" -Recurse -Force -
Check RDP port:
# Verify RDP is listening netstat -an | findstr :3389
FAQ
How long does an account stay locked?
By default, accounts stay locked until an administrator unlocks them. You can configure automatic unlock after a set duration.
Can I prevent lockouts for specific accounts?
Yes, you can exclude accounts from lockout policy, but this reduces security.
What's the difference between account lockout and session lockout?
Account lockout prevents all login attempts. Session lockout only affects current sessions.
How do I find what's causing repeated lockouts?
Check Event Viewer Security logs for Event ID 4740 and 4625 to identify the source IP or application causing lockouts.