This topic describes how to resolve the following error when you connect to a Windows Elastic Compute Service (ECS) instance through Remote Desktop: As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts.
Problem description
An error stating "As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts" appears when you connect to a Windows ECS instance through Remote Desktop. The detailed error message is shown below:
Cause
In a Windows ECS instance, if the user lockout policy is configured in a system group policy, entering incorrect passwords too many times triggers an account lock. If this happens, you will not be able to log on to the instance through Remote Desktop.
Solution
Step 1: Confirm whether you need to reset the instance password
Reset the instance password if you forget the correct one. For more information, see Reset the logon password of an instance.
Step 2: Continue trying to log on to the instance, or wait for it to unlock automatically
If immediate instance logon or unlocking is not required, you can wait for the automatic unlock (default lock for 10 minutes) before reconnecting to the Windows instance.
If you need to log on to the instance immediately or want to modify its lockout policies, follow the steps below. In this example, Windows Server 2016 is used. You can apply similar steps to other operating systems.
Access the Windows instance by using VNC.
For more information, see Connect to an instance by using VNC.
NoteNote that only administrator accounts have the permission to modify lockout policies. Ensure you are logged on as an administrator when accessing the Windows instance.
To prevent future lockout prompts, refer to the following adjustments to the lockout policy:
Right-click Start and select Run (R). In the Run dialog, type
gpedit.msc
and click OK to open the Local Group Policy Editor.In the Local Group Policy Editor, choose Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
To disable the account lockout policy, try one of the following methods:
Method 1: To unlock both administrator and other user accounts, double-click Account Lockout Threshold, set the Account Lockout Threshold to 0, and then select OK.
Method 2: To unlock administrator accounts only, double-click Allow Administrator Account Lockout, choose Disabled, and then click OK.
Use Remote Desktop to reconnect to the Windows instance and verify that you can log on to the instance.
Step 3: (Optional) Enhance network security
Account lockouts may also result from unauthorized brute-force attempts. We recommend that you restrict remote logon port access (typically port 3389) to trusted IP addresses, such as your public IP addresses or those within your organization that require instance access. For more information, see Add a security group rule.