All Products
Search
Document Center

Elastic Compute Service:What do I do if my account is locked due to too many logon or password change attempts when I connect to a Windows instance through Remote Desktop?

Last Updated:Nov 12, 2024

This topic describes how to resolve the following error when you connect to a Windows Elastic Compute Service (ECS) instance through Remote Desktop: As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts.

Problem description

An error stating "As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts" appears when you connect to a Windows ECS instance through Remote Desktop. The detailed error message is shown below:

2023-02-15_10-26-20

Cause

In a Windows ECS instance, if the user lockout policy is configured in a system group policy, entering incorrect passwords too many times triggers an account lock. If this happens, you will not be able to log on to the instance through Remote Desktop.

Solution

Step 1: Confirm whether you need to reset the instance password

Reset the instance password if you forget the correct one. For more information, see Reset the logon password of an instance.

Step 2: Continue trying to log on to the instance, or wait for it to unlock automatically

  • If immediate instance logon or unlocking is not required, you can wait for the automatic unlock (default lock for 10 minutes) before reconnecting to the Windows instance.

  • If you need to log on to the instance immediately or want to modify its lockout policies, follow the steps below. In this example, Windows Server 2016 is used. You can apply similar steps to other operating systems.

    1. Access the Windows instance by using VNC.

      For more information, see Connect to an instance by using VNC.

      Note

      Note that only administrator accounts have the permission to modify lockout policies. Ensure you are logged on as an administrator when accessing the Windows instance.

    2. To prevent future lockout prompts, refer to the following adjustments to the lockout policy:

      1. Right-click Start and select Run (R). In the Run dialog, type gpedit.msc and click OK to open the Local Group Policy Editor. 系统运行.png

      2. In the Local Group Policy Editor, choose Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

        To disable the account lockout policy, try one of the following methods:

        • Method 1: To unlock both administrator and other user accounts, double-click Account Lockout Threshold, set the Account Lockout Threshold to 0, and then select OK. 方法一修改锁定阈值.png

        • Method 2: To unlock administrator accounts only, double-click Allow Administrator Account Lockout, choose Disabled, and then click OK. 方法二修改账户锁定.png

      3. Use Remote Desktop to reconnect to the Windows instance and verify that you can log on to the instance.

Step 3: (Optional) Enhance network security

Account lockouts may also result from unauthorized brute-force attempts. We recommend that you restrict remote logon port access (typically port 3389) to trusted IP addresses, such as your public IP addresses or those within your organization that require instance access. For more information, see Add a security group rule.