Information
This policy setting determines whether the built-in Administrator account is subject to the following Account Lockout Policy settings:
Account lockout duration
,
Account lockout threshold
, and
Reset account lockout counter
. By default, this account is excluded from the account lockout controls and will never be locked out with repeated bad password attempts.
The recommended state for this setting is: Enabled
Note: This setting applies only to OSes patched as of October 11, 2022 (see
MS KB5020282
).
Enabling account lockout policies for the built-in Administrator account will reduce the likelihood of a successful brute force attack.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled :
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout
Impact:
The built-in Administrator account will be subject to the policies in Section
1.2 Account Lockout Policy
of this benchmark.