All Products
Search
Document Center

Elastic Compute Service:What do I do if an error message similar to "As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts" appears when I connect to a Windows instance by using RDP?

Last Updated:Feb 27, 2025

This topic describes the cause of and solution to the issue that an error message similar to "As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts" appears when you connect to a Windows Elastic Compute Service (ECS) instance by using Remote Desktop Protocol (RDP).

Problem description

When you use an RDP client, such as Remote Desktop, Workbench, or Windows App, to connect to a Windows ECS instance, the "As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts" error message or a similar error message appears. The following figures show the error messages reported by different RDP clients.

Remote Desktop

2023-02-15_10-26-20

Workbench

image

Windows App

image

Cause

The account locking mechanism is a built-in security mechanism of Windows. The preceding issue may occur because you entered an incorrect password multiple times when you connect to the Windows ECS instance. The account locking mechanism is triggered to lock your account. This ensures system security and reduces the risk of password cracking.

Important

If the preceding issue occurs when you connect to the Windows ECS instance, check whether you recently entered incorrect passwords multiple times. If you did not enter incorrect passwords multiple times, a hacker may be trying to crack the password of the Windows ECS instance.

Solution procedure

To resolve the preceding issue, you can use security groups to limit the IP addresses that can be used to connect to the Windows ECS instance.

The remote connection port (3389) of Windows is a high-risk port. If the port is open to all public IP addresses, security risks may occur. You must configure appropriate security group rules to prevent unexpected hosts from connecting to your ECS instance. Perform the following steps to resolve the preceding issue:

  1. Modify the security group rules to prohibit all IP addresses from accessing the RDP service of the Windows ECS instance.

    To prevent the preceding issue from reoccurring in subsequent operations, you must modify the security group rules associated with the Windows ECS instance to prohibit all IP addresses from accessing the RDP port on the instance. This prevents anyone from using an RDP client, such as Remote Desktop, Windows App, or Workbench, to connect to the instance over the Internet and resolves the issue of remote logons from unknown hosts.

  2. Connect to the Windows ECS instance by using Virtual Network Computing (VNC) and unlock the account.

    After you prohibit all users from accessing the RDP service on the Windows ECS instance, you can connect to the instance by using VNC in the ECS console. After you connect to the Windows ECS instance by using VNC, the account is automatically unlocked.

  3. Modify the security group rules.

    To ensure that you can use an RDP client to connect to the Windows ECS instance, modify the inbound rules in the security groups to which the instance belongs based on the principle of least privilege to limit the IP addresses that can access the RDP port.

  4. Verify that you can use an RDP client to connect to the Windows ECS instance.

    Connect to the Windows ECS instance by using an RDP client to verify that the security group rules that you configured are in effect and that the account is unlocked.

Step 1: Modify the security group rules to prohibit all IP addresses from accessing the RDP service of the Windows ECS instance

To prevent the preceding issue from reoccurring in subsequent operations, you must modify the security group rules associated with the Windows ECS instance to prohibit all IP addresses from accessing the RDP port on the instance. This prevents anyone from using an RDP client, such as Remote Desktop, Windows App, or Workbench, to connect to the instance over the Internet and resolves the issue of remote logons from unknown hosts. Perform the following steps:

  1. In the ECS console, find the security groups to which the Windows ECS instance whose account you want to unlock belongs.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region in which the Windows ECS instance that you want to manage resides and the resource group to which the instance belongs. 地域

    4. On the Instance page, find the Windows ECS instance whose account you want to unlock and click the instance ID to go to the instance details page.

    5. Click the Security Groups > Security Groups tab. The page that appears displays all security groups that are associated with the Windows ECS instance.

  2. Modify security group rules to block the RDP port.

    1. Click Manage Rules in the Operation column that corresponds to each security group to access the security group details page.

    2. Find all rules whose Port Range parameter contains the RDP port (3389 by default). Delete the rules or change the action of the rules to Deny.

      Important

      Before you modify the security group rules, we recommend that you back up the original security group rules. This allows you to restore the rules if required.

      image

    3. Verify that no host on the public network can connect to the Windows ECS instance by using RDP.

Step 2: Connect to the Windows ECS instance by using VNC and unlock the account

After you prohibit all users from accessing the RDP service on the Windows ECS instance, you can connect to the instance by using VNC in the ECS console. After you connect to the Windows ECS instance by using VNC, the account is automatically unlocked.

  1. In the ECS console, find the Windows ECS instance whose account you want to unlock.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Instance page, find the Windows ECS instance whose account you want to unlock.

  2. To go to the VNC connection page of the Windows ECS instance to which you want to connect, perform the following steps:

    1. In the Actions column that corresponds to the instance, choose image > VNC Connection.

      image

    2. The following figure shows the VNC connection page.

      In this example, an instance that runs Windows Server 2025 is used.

      image

  3. Log on to the Windows operating system. After you log on to the Windows operating system, the account is automatically unlocked.

    1. In the upper-left corner of the VNC connection page, choose Send Remote Commands > CTRL+ALT+DELETE to unlock the Windows operating system.

    2. Select a username, enter the password, and then press the Enter key to log on to the operating system of the instance. The default username is Administrator.

      Important

      If you do not know your username or password, or if you forget your password, reset the password first. For more information, see Reset the logon password of an instance.

    image

    image

Step 3: Modify security group rules

In Step 1, you prohibited all IP addresses from connecting to the Windows ECS instance by using RDP. To ensure that you can use an RDP client to connect to the instance, modify the inbound rules in the security groups to which the instance belongs based on the principle of least privilege to allow only the IP address of your host to connect to the instance by using RDP. To modify the inbound rules in the security groups to which the Windows ECS instance belongs, perform the following steps:

  1. Plan security group settings. Determine the IP addresses or CIDR blocks of the hosts that are allowed to connect to the Windows ECS instance.

    Before you modify security group rules, obtain the IP addresses or CIDR blocks of all hosts that need to connect to the Windows ECS instance. If you want to allow your on-premises host to connect to the Windows ECS instance, go to the https://cip.cc/ website to obtain the IP address of the host. For information about the best practices for configuring security group rules, see Best practices for security groups (inbound rules).

  2. Modify security group rules.

    1. Find the security groups that you modified in Step 1.

    2. Click Manage Rules in the Operation column that corresponds to each security group. On the Inbound tab in the Access Rule section, click Add Rule to add a security group rule. The rule allows only the IP address of your host to access the RDP port of the Windows ECS instance. The following table describes the parameters.

      Action

      Priority

      Protocol type

      Port range

      Authorization object

      Allow

      1

      Custom TCP

      Select RDP (3389).

      The default port number is 3389 when you connect to a Windows ECS instance by using RDP.
      Important

      The port that you must configure varies based on the actual port used by RDP on the Windows ECS instance. If you changed the RDP port on the Windows ECS instance, specify the actual RDP port.

      Specify the public IP address of your on-premises host or the CIDR block to which the public IP address belongs.

      Warning
      • If you specify 0.0.0.0/0, access on the specified port is allowed for all IPv4 addresses. This poses security risks and may repeatedly cause the account locking issue to occur.

      • You can obtain the public IP address of your on-premises host from https://cip.cc/.

How do I simplify the process of modifying security group rules if the IP address of my host frequently changes and I need to frequently modify the security group rules?

If the IP address of your host frequently changes, you can use Workbench or Alibaba Cloud Client as the connection tool.

  • Workbench: When you use Workbench to connect to an ECS instance, you only need to allow Workbench-related IP addresses to access RDP in the security groups to which the instance belongs. You do not need to configure loose rules in the security groups. For information about how to connect to a Windows ECS instance by using Workbench, see Use Workbench to connect to a Windows instance over RDP.

  • Alibaba Cloud Client: If the IP address of your host changes and is blocked by a security group when you use Alibaba Cloud Client to connect to an ECS instance, you are prompted to add a security group rule. Alibaba Cloud Client allows you to obtain the IP address of your host and add the required security group rule with one click. This simplifies the configuration of security group rules. For information about how to connect to a Windows ECS instance by using Alibaba Cloud Client, see the Connect to a Windows instance over RDP section of the "Use Alibaba Cloud Client to manage ECS instances" topic.

Step 4: Verify that you can use an RDP client to connect to the Windows ECS instance

Use an RDP client to connect to the Windows ECS instance, and check whether the rules in the security groups to which the instance belongs are in effect and the account of the instance is unlocked.

If the account is still locked when you connect to the Windows ECS instance, you can manually change the Windows account lockout policy. For more information, see the Change the Windows account lockout policy section of this topic.

Related operations

To change the Windows account lockout policy, such as the maximum number of password retries and account lockout events, perform the following steps.

Change the Windows account lockout policy

Warning

The account locking mechanism is a built-in security mechanism of Windows. To prevent system security risks, do not disable the mechanism.

  1. Connect to the Windows ECS instance by using VNC as described in Step 2.

  2. Go to the Windows Account Lockout Policy page.

    1. Right-click the Start icon and select Run. In the Run dialog box, enter gpedit.msc and click OK to start Local Group Policy Editor.

      image

    2. In the Local Group Policy Editor window, choose Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. On the page that appears, change the Windows account lockout policy.

      image

      The following table describes the parameters.

      Policy

      Description

      Allow Administrator account lockout

      If you disable the policy, the Administrator account is no longer locked. This may cause security risks. We recommend that you use security groups to restrict the hosts that can access the Windows ECS instance to prevent unknown hosts from accessing the instance.

      Account lockout duration

      The period of time during which the account is locked after the number of consecutive logon attempts with an incorrect password reaches the account lockout threshold.

      Note

      A value of 0 specifies that only the Administrator account can unlock the account after the account is locked.

      Account lockout threshold

      The threshold for the number of consecutive logon attempts with an incorrect password. After the number of consecutive logon attempts with an incorrect password reaches the account lockout threshold, the account is locked.

      Warning

      Do not set the account lockout threshold to 0. A value of 0 specifies that the account is never locked. If the Windows ECS instance is under attack, the password of the instance may be cracked.

      Reset account lockout counter after

      The minutes after which the number of consecutive logon attempts with an incorrect password is reset to zero.

      For example, if you set the policy to 20 minutes and no logon attempts with an incorrect password are detected within 20 minutes, the records of the previous logon attempts with an incorrect password are cleared.

Suggestions on how to improve Windows security