Back to docs
Tools - ConfigurationUpdated: November 23, 2024

net accounts

Show account policies including password and lockout settings.

net accounts

Command: net accounts

Category: Configuration

Type: CMD

Purpose

Displays or modifies account policy settings on the local computer, including password age requirements, minimum password length, password history, and account lockout policies. Essential for understanding and configuring local security policies.

Quick Summary

View and configure local account security policies from the command line. See password expiration settings, minimum password length, lockout policies, and other account security settings. Perfect for security audits, compliance verification, and configuring local security policies without using Group Policy Editor.

How to Use

View current account policies:

net accounts

Modify password age (requires admin):

net accounts /minpwage:7
net accounts /maxpwage:90

Set minimum password length (requires admin):

net accounts /minpwlen:8

Set password uniqueness history (requires admin):

net accounts /uniquepw:5

Force logoff after hours expire (requires admin):

net accounts /forcelogoff:yes
net accounts /forcelogoff:no

Tips and Best Practices

  • Run net accounts without parameters first to see current settings.
  • Document settings before making changes.
  • Coordinate with organizational security policies.
  • Changes take effect immediately but don't affect currently logged-in users until next logon.
  • Use /domain switch for domain policies (requires domain admin rights).
  • Test policy changes in non-production environment first.

Understanding the Output

Example output:

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION

Common Use Cases

  • Security audits: Review password and lockout policies.
  • Compliance: Verify settings meet security requirements.
  • Policy enforcement: Configure password complexity and aging.
  • Troubleshooting: Check lockout settings when users are locked out.
  • Hardening: Implement stricter security policies on local computers.
  • Documentation: Record current policy settings.

Prerequisites

  • Windows Command Prompt or PowerShell
  • No administrator rights required to view policies
  • Administrator rights required to modify policies
  • Available on all Windows versions
  • Workgroup or standalone computers (for local policies)

Policy Settings Explained

Force user logoff:

  • Never: Users can remain logged in indefinitely
  • Number: Minutes after logon hours expire before forced logoff
  • Affects workstations with restricted logon hours

Minimum password age:

  • Days before password can be changed after last change
  • Prevents users from cycling through passwords quickly
  • 0 = Password can be changed immediately
  • Typical: 1-7 days

Maximum password age:

  • Days before password must be changed
  • Forces regular password changes
  • "Unlimited" or very high number = passwords don't expire
  • Typical: 30-90 days

Minimum password length:

  • Minimum characters required for passwords
  • 0 = No minimum (blank passwords allowed)
  • Recommended: 8+ characters
  • Best practice: 12+ characters

Password history:

  • Number of previous passwords remembered
  • Prevents password reuse
  • "None" = Can reuse passwords immediately
  • Typical: 5-24 passwords remembered

Lockout threshold:

  • Failed logon attempts before account locks
  • "Never" = No lockout (security risk)
  • Typical: 3-10 attempts
  • Note: Setting not available via net accounts (use Local Security Policy or secpol.msc)

Lockout duration:

  • Minutes account remains locked
  • 0 = Manual unlock by administrator required
  • Typical: 15-30 minutes
  • Note: Setting not available via net accounts

Computer role:

  • WORKSTATION: Standard computer
  • SERVER: Windows Server
  • DOMAIN CONTROLLER: Active Directory domain controller

Modifying Account Policies

Set password policies:

net accounts /minpwage:1
net accounts /maxpwage:90
net accounts /minpwlen:8
net accounts /uniquepw:5

Disable password expiration:

net accounts /maxpwage:unlimited

Strict password policy example:

net accounts /minpwlen:12 /minpwage:1 /maxpwage:60 /uniquepw:10

Relaxed policy (not recommended):

net accounts /minpwlen:0 /maxpwage:unlimited

Working with Domain Policies

View domain account policies:

net accounts /domain

Modify domain policies (domain admin required):

net accounts /minpwlen:10 /domain

Note: Domain policies usually managed via Group Policy; command-line changes are less common in domain environments.

Lockout Policies

Important: Net accounts command cannot modify lockout threshold, duration, or observation window. These must be configured via:

  1. Local Security Policy (secpol.msc):

    • Security Settings > Account Policies > Account Lockout Policy

  2. Group Policy Editor (gpedit.msc):

    • Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

  3. PowerShell:

    # View lockout policy
net accounts

# Cannot set lockout via net accounts
# Use secpol.msc or Group Policy instead

Troubleshooting

  • "Access is denied" - Requires administrator rights to modify; run Command Prompt as Administrator.
  • "System error 5 has occurred" - Insufficient privileges; run as Administrator.
  • "This command can be used only on a Windows Domain Controller" - Using /domain switch on non-domain controller.
  • Settings don't seem to apply - Wait a few minutes or restart; some policies refresh periodically.
  • Can't see lockout settings - Use Local Security Policy (secpol.msc) or Group Policy Editor instead.

Security Best Practices

Recommended password policies:

net accounts /minpwlen:12
net accounts /maxpwage:90
net accounts /minpwage:1
net accounts /uniquepw:10

Explanation:

  • 12 character minimum (strong passwords)
  • 90 day maximum age (regular rotation)
  • 1 day minimum age (prevent rapid cycling)
  • Remember 10 passwords (prevent reuse)

Additional recommendations:

  • Configure lockout threshold: 5-10 failed attempts
  • Set lockout duration: 15-30 minutes
  • Enable password complexity requirements (via Group Policy)
  • Educate users on password security

Compliance Considerations

Common compliance requirements:

NIST Guidelines:

  • Minimum 8 characters (12+ recommended)
  • No regular expiration for user-chosen passwords
  • Expiration only if compromise suspected

PCI DSS:

  • Minimum 7 characters
  • Complex passwords required
  • Max 90 days before change
  • Remember 4 previous passwords

HIPAA:

  • Unique passwords
  • Regular changes
  • Lockout after failed attempts

SOC 2:

  • Documented password policy
  • Regular password changes
  • Password complexity

Viewing vs. Modifying Policies

View only (no admin required):

net accounts

Modify (requires admin):

net accounts /minpwlen:10

Best practice workflow:

  1. View current settings: net accounts
  2. Document current settings: net accounts > policy-before.txt
  3. Make changes with admin rights
  4. Verify changes: net accounts
  5. Test with non-admin account
  6. Document new settings: net accounts > policy-after.txt

Scripting Examples

Batch - view and save policy:

@echo off
echo Account Policy Report > account-policy.txt
echo Generated: %date% %time% >> account-policy.txt
echo. >> account-policy.txt
net accounts >> account-policy.txt
echo Policy saved to account-policy.txt

Batch - set strict policy:

@echo off
echo Setting strict account policies...
net accounts /minpwlen:12
net accounts /minpwage:1
net accounts /maxpwage:60
net accounts /uniquepw:12
echo Policy settings updated.
echo.
echo Current policy:
net accounts
pause

PowerShell alternatives:

# View account policies
net accounts

# Set policies (still uses net accounts)
net accounts /minpwlen:10
net accounts /maxpwage:90

# View via Get-LocalUser properties
Get-LocalUser | Select-Object Name, PasswordExpires, PasswordLastSet

Comparing Policies

Save before changes:

net accounts > policy-before.txt

Make changes, then save after:

net accounts > policy-after.txt

Compare:

fc policy-before.txt policy-after.txt

Local Security Policy GUI (Pro+ editions):

secpol.msc

Group Policy Editor:

gpedit.msc

View password expiration for specific user:

net user username | find "Password expires"

View all users' password status:

wmic useraccount get name,passwordexpires

PowerShell:

# Get password policies
Get-LocalUser | Select-Object Name, PasswordExpires, PasswordLastSet, PasswordRequired

# Check specific user
Get-LocalUser -Name "JohnDoe" | Select-Object *password*

Limitations

What net accounts CANNOT do:

  • Configure password complexity requirements (use Group Policy)
  • Set lockout threshold (use secpol.msc or Group Policy)
  • Set lockout duration (use secpol.msc or Group Policy)
  • Configure fine-grained password policies (use AD and PowerShell)
  • Manage individual user password settings (use net user instead)

For full password policy management:

  • Use Local Security Policy (secpol.msc)
  • Use Group Policy (gpedit.msc)
  • Use Active Directory for domain environments
  • net user - Manage user accounts
  • net localgroup - Manage local groups
  • secpol.msc - Local Security Policy GUI
  • gpedit.msc - Group Policy Editor
  • whoami /all - View current user and group info
  • PowerShell Get-LocalUser - Query user password settings