1.2.3 Ensure 'Allow Administrator account lockout' is set to 'Enabled'


This policy setting determines whether the built-in Administrator account is subject to the following Account Lockout Policy settings: Account lockout duration, Account lockout threshold, and Reset account lockout counter. By default, this account is excluded from the account lockout controls and will never be locked out with repeated bad password attempts.

The recommended state for this setting is: Enabled.

Note: This setting applies only to OSes patched as of October 11, 2022 (see MS KB5020282).


Enabling account lockout policies for the built-in Administrator account will reduce the likelihood of a successful brute force attack.


The built-in Administrator account will be subject to the policies in Section 1.2 Account Lockout Policy of this benchmark.


To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout

Default Value:

Disabled. (The built-in Administrator account is not subject to the account lockout policy.)

See Also