.png)
How to Fix Windows RDP Account Locked Out Error
Overview
If you are unable to log in to your server via Remote Desktop Protocol (RDP) and are seeing an account lockout error, it is because Windows has a default security policy that automatically locks user accounts after a certain number of failed login attempts. This is designed to protect your server from unauthorized access, but it can also lock you out unintentionally.
This article explains how to access the Account Lockout Policy through the Group Policy Editor and adjust or disable it to regain access to your server.
Error Message
When this issue occurs, you will see the following error message when attempting to connect via RDP:
"As a security precaution, the user account has been locked out because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support."
Why Does This Happen?
Windows Server includes a built-in Account Lockout Policy as a security measure. By default, this policy is configured to temporarily lock a user account after a set number of failed login or password change attempts. Once locked, the account cannot be used until either the lockout duration has passed or an administrator manually unlocks it.
Common reasons this error occurs include:
- Mistyping your password multiple times when connecting via RDP.
- An outdated or cached set of credentials being used automatically by your system.
- Multiple users or automated processes attempting to log in with incorrect credentials.
Prerequisites
Before you begin, make sure the following conditions are met:
- You have Administrator access to the Windows Server. You will need to be logged in locally or via another administrator account to make changes.
- You are working directly on the server, or you have another active RDP session with administrator privileges. If your only account is locked, you will need to access the server through another method (e.g., the hosting provider's console or a KVM connection).
Step-by-Step Instructions
The steps below will guide you through opening the Group Policy Editor and navigating to the Account Lockout Policy, where you can adjust or disable the lockout threshold.
Step 1: Open the Group Policy Editor
The Group Policy Editor is a built-in Windows tool that allows you to manage system-wide settings, including security policies.
- Press the Windows key + R on your keyboard to open the Run dialog box.
- Type the following command and press Enter:
gpedit.msc
- The Local Group Policy Editor window will open.
Step 2: Navigate to Computer Configuration
In the left-hand panel of the Group Policy Editor, you will see a folder tree. Locate and expand the Computer Configuration folder. This section contains settings that apply to the entire computer, regardless of which user is logged in.
Path: Computer Configuration
Step 3: Expand Windows Settings
Inside Computer Configuration, locate and expand the Windows Settings folder. This section contains policies that are specific to the Windows operating system.
Path: Computer Configuration → Windows Settings
Step 4: Open Security Settings
Within Windows Settings, expand the Security Settings folder. This is where all security-related policies for your server are managed, including password and account lockout rules.
Path: Computer Configuration → Windows Settings → Security Settings
Step 5: Navigate to Account Policies
Inside Security Settings, expand the Account Policies folder. This section contains the policies that govern how user accounts behave, including password requirements and lockout rules.
Path: Computer Configuration → Windows Settings → Security Settings → Account Policies
Step 6: Open Account Lockout Policy
Inside Account Policies, click on the Account Lockout Policy folder. This will display the lockout-related settings in the right-hand panel of the Group Policy Editor.
Path: Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
You should now see three settings listed:
- Account lockout duration — How long the account stays locked before it is automatically unlocked.
- Account lockout threshold — The number of failed login attempts before the account is locked.
- Reset account lockout counter after — How long before the failed login attempt counter resets back to zero.
Step 7: Adjust the Account Lockout Threshold
The Account lockout threshold is the key setting that controls when an account gets locked out. You can modify this value based on your needs.
- In the right-hand panel, double-click on Account lockout threshold.
- A settings dialog will appear showing the current value.
- Change the value to your preferred number (see the options below) and click OK to save.
Configuration Options
Depending on your needs, you can choose one of the following approaches after opening the Account Lockout Policy settings:
Disable Account Lockouts Entirely
If you want to prevent accounts from ever being locked out automatically, set the Account lockout threshold to 0. This completely disables the lockout policy.
Note: Disabling account lockouts removes an important layer of security from your server. Only do this if you are aware of the risks and are using other methods to secure your server (e.g., strong passwords, IP whitelisting, or two-factor authentication).
Increase the Lockout Threshold
If you want to keep the lockout policy active but allow more failed attempts before an account is locked, set the threshold to a higher number. A value between 10 and 15 is a common choice, as it provides a reasonable balance between security and flexibility.
Reduce the Lockout Duration
If you want accounts to be automatically unlocked sooner after being locked out, you can reduce the Account lockout duration. This value is set in minutes. For example, setting it to 5 minutes means the account will automatically unlock after 5 minutes of being locked.
Reset the Lockout Counter
The Reset account lockout counter after setting controls how long Windows waits before resetting the failed login attempt counter back to zero. For example, if this is set to 30 minutes, the counter will reset after 30 minutes of no failed attempts, even if the threshold has not been reached.
Applying the Changes
Changes made in the Group Policy Editor may not take effect immediately. To force the changes to apply right away, you can do one of the following:
- Restart the server — This will apply all pending Group Policy changes.
- Run a manual Group Policy refresh — Open Command Prompt as Administrator and run the following command:
gpupdate /force
This will update both computer and user Group Policy settings without requiring a full restart.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| The Group Policy Editor does not open | The gpedit.msc command is not available on your edition of Windows |
Group Policy Editor is only available on Pro and Enterprise editions. If you are on Home edition, use the Registry Editor (regedit.exe) as an alternative |
| Changes do not take effect after saving | Group Policy has not refreshed | Run gpupdate /force in Command Prompt or restart the server |
| The account is still locked after changing the policy | The account was locked before the policy change was applied | The existing lockout will still need to expire or be manually cleared. You can unlock the account via Active Directory Users and Computers or by waiting for the lockout duration to pass |
| You cannot access the server at all to make changes | Your only administrator account is locked and you have no other way in | Contact your hosting provider's support team for console or KVM access to the server |
Need Help?
If you have followed the steps above and are still experiencing issues, please contact our support team. Be sure to include the following details in your request:
- Your Windows Server version and edition
- A description of the issue you are experiencing
- Any error messages you have received during the process
