Ready to learn?

Local Administrator Account Lockout

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐——๐—ถ๐—ฑ ๐˜†๐—ผ๐˜‚ ๐—ธ๐—ป๐—ผ๐˜„ ๐˜๐—ต๐—ฒ ๐—Ÿ๐—ผ๐—ฐ๐—ฎ๐—น ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐—ถ๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜ ๐—ฐ๐—ฎ๐—ป ๐—ด๐—ฒ๐˜ ๐—น๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฑ ๐—ผ๐˜‚๐˜?

For years, the built-in local admin account couldnโ€™t be locked outโ€”attackers loved this loophole.

๐—•๐˜‚๐˜ ๐˜๐—ต๐—ถ๐—ป๐—ด๐˜€ ๐—ต๐—ฎ๐˜ƒ๐—ฒ ๐—ฐ๐—ต๐—ฎ๐—ป๐—ด๐—ฒ๐—ฑ:
โœ… Since 2022, thereโ€™s a GPO to control this behavior.
โœ… In Windows Server 2025, the default is that the built-in local admin can be locked out.

๐—ช๐—ต๐˜† ๐—ฑ๐—ผ๐—ฒ๐˜€ ๐˜๐—ต๐—ถ๐˜€ ๐—บ๐—ฎ๐˜๐˜๐—ฒ๐—ฟ?
Because the local admin password is often:
โŒ Simple and weak
โŒ Shared across many servers

Attackers exploit this to move laterally without touching domain accounts.
Lockouts help stop brute-force attacksโ€”but keep in mind:
โš  ๐—ง๐—ต๐—ถ๐˜€ ๐—ผ๐—ป๐—น๐˜† ๐—ฎ๐—ฝ๐—ฝ๐—น๐—ถ๐—ฒ๐˜€ ๐˜๐—ผ ๐—ป๐—ฒ๐˜๐˜„๐—ผ๐—ฟ๐—ธ ๐—น๐—ผ๐—ด๐—ผ๐—ป๐˜€, not console logons.

Also, I hope youโ€™re not using the same password across all servers!
If you are โ†’ ๐˜€๐˜๐—ฎ๐—ฟ๐˜ ๐˜‚๐˜€๐—ถ๐—ป๐—ด ๐—Ÿ๐—”๐—ฃ๐—ฆ (Local Administrator Password Solution) to rotate and manage local admin passwords securelyโ€”this was here long before 2022 as a protection for the same scenario.

๐Ÿ‘‰ Did you know about this change?

buy a course