Querying Account Lockout Policy settings

To prevent brute-force attacks on your Windows accounts, you should configure an appropriate Account Lockout Policy, which is supported in both Windows 10 and Windows 11. Changing these settings in the Group Policy Editor (gpedit.msc) is straightforward:

If you want to query these settings programmatically, you can use one of these methods:

Method 1: net.exe

C:\>%windir%\System32\net.exe Accounts
…
Lockout threshold:                                    5
Lockout duration (minutes):                           10
Lockout observation window (minutes):                 10
…
The command completed successfully.

This method does not print the Allow Administrator account lockout setting, however.

Method 2: PowerShell

The settings are stored in the [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account] registry key, which by default is only readable by the SYSTEM account. Furthermore, Windows uses a single REG_BINARY value that needs to be decoded. The Get-AccountLockoutSettings function uses PsExec to impersonate the SYSTEM account and then decodes the binary data:

function Get-AccountLockoutSettings {
	[CmdletBinding()]
	param();
	
	$psexec = "$env:ProgramFiles\SysinternalsSuite\PsExec.exe";
	$pwsh = (Get-Process -Id $pid).Path;
	[byte[]] $bytes = & $psexec -nobanner -accepteula -s $pwsh -Command "Get-ItemPropertyValue -LiteralPath 'HKLM:\SAM\SAM\Domains\Account' -Name 'F'";
	
	function ConvertTo-Minutes {
		[CmdletBinding()]
		param(
			[byte[]]
			$Bytes
		);
		$ticks = [System.BitConverter]::ToUInt64( $Bytes, 0 ) -bxor [uint64]::MaxValue;
		[timespan]::FromTicks( $ticks + 1).TotalMinutes;
	}
	
	@{
		"Account lockout duration" = ConvertTo-Minutes -Bytes $bytes[0x30..0x37];
		"Reset account lockout counter after" = ConvertTo-Minutes -Bytes $bytes[0x38..0x3F];
		"Account lockout threshold" = [System.BitConverter]::ToUInt16( $bytes[0x54..0x55], 0 );
		"Allow Administrator account lockout" = $(
			switch( $bytes[0x4C] ) {
				0 { "Disabled"; }
				8 { "Enabled"; }
				default { throw "Unexpected value '0x{0:X2}'." -f $_; }
			}
		);
	};
}
Get-AccountLockoutSettings.ps1

You need administrative rights to run this function. The output should look like this:

PS C:\> Get-AccountLockoutSettings | Format-Table -AutoSize

Name                                Value
----                                -----
Account lockout duration            10
Allow Administrator account lockout Enabled
Reset account lockout counter after 10
Account lockout threshold           5