Remote Desktop: A user account restriction is preventing…

Published by Nyau Wai Hoe - Updated on

Remote Desktop Connection (RDP) is a powerful feature in Windows 11 and Windows 10, allowing users to connect to a computer remotely. However, at times, users might encounter errors that prevent them from accessing a system using RDP. One such common error message reads: “A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.” This article aims to provide in-depth solutions for resolving this error, prioritizing methods related to setting a password for the user account, disabling the blank password check, and then covering other potential solutions.

Also see: Windows 11 Remote Desktop “An authentication error has occurred”

Remote Desktop A user account restriction time-of-day restriction preventing logging in

Fixing “A user account restriction” error in Remote Desktop

1. Setting a password for the user account

One of the most common reasons for encountering the RDP error related to user account restrictions is attempting to remotely connect to an account that has no password set. RDP has a security feature that, by default, denies remote access to accounts with blank passwords.

How to set a password for the user:

  1. Press the Windows key or click on the Start button.
  2. Type “Computer Management” and select it from the results to open.Open Computer Management Windows 11
  3. In the Computer Management window, expand the System Tools tab.
  4. Click on Local Users and Groups, then select Users.
  5. Locate and right-click the user account you want to set a password for, and choose Set Password.Fixing A user account restriction error in Remote Desktop
  6. Read the warning prompt, click Proceed, then enter the new password, confirm it, and click OK.

By ensuring all accounts have a password, you not only solve the RDP issue but also enhance the security of the system.

Related resource: Disable Network Level Authentication in Windows 11 or 10

2. Allow blank passwords for Remote Desktop Connection

If for some reason you wish to allow RDP connections to accounts with blank passwords, you can disable the blank password check. This can be done through either the Local Group Policy Editor or the Registry Editor. However, please be cautious as this reduces the security of the system.

Using local group policy editor:

  1. Press Windows + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.Open group policy editor via Run command in Windows 11
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  3. Locate the policy named “Accounts: Limit local account use of blank passwords to console logon only” and double-click on it.
  4. Change the setting to Disabled.Allow Blank Passwords for Remote Desktop Connection
  5. Click OK and close the Local Group Policy Editor.
  6. To apply the changes immediately, open Command Prompt and type gpupdate /force and press Enter.

Using registry editor:

  1. Press Windows + R, type regedit, and press Enter to open the Registry Editor.Open Registry Editor
  2. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa.
  3. Find the DWORD named LimitBlankPasswordUse. If it doesn’t exist, right-click, select New, then DWORD (32-bit) Value, and name it LimitBlankPasswordUse.
  4. Double-click on LimitBlankPasswordUse and set its value to 0.Limit Blank Password Windows 11 Remote Desktop
  5. Close the Registry Editor and restart your computer for changes to take effect.

Note: It’s important to backup your registry before making any changes. Modifying the registry incorrectly can lead to system instability or malfunctions.

Pro tip: How to Open an RDP Connection via CMD in Windows 11

3. Time-of-day restrictions

Sometimes, administrators set time-of-day restrictions to limit when certain users can log into the system. If you’re trying to access the system outside these allowed hours, you’ll encounter the “A user account restriction” RDP error. The option to set login hours is primarily a feature available for domain user accounts through Active Directory Users and Computers on a domain controller.

How to check and modify login hours:

  1. Open Active Directory Users and Computers.
  2. Locate the user’s account, right-click, and select Properties.
  3. Go to the Account tab and click on Logon Hours to view or adjust the permissible times.

A user account restriction time-of-day restriction RDP

4. Account is locked out

Multiple failed login attempts can result in an account being locked out for security reasons.

How to address account lockout:

  1. On the Remote Computer:
    1. Press Windows + R, type lusrmgr.msc, and press Enter to open Local Users and Groups.
    2. Click on Users, then double-click on the account you’re concerned about.
    3. Ensure the Account is locked out option is unchecked.Account is locked out Windows 11
  2. On a Domain Controller:
    1. Open Active Directory Users and Computers.
    2. Find and right-click on the user’s account, then choose Properties.
    3. Navigate to the Account tab and ensure the Account is locked out option is unchecked.

Related guide: How to Remote Desktop Over The Internet in Windows 11

5. Group policy restrictions

There might be Group Policy settings that are restricting RDP access either for the user or the machine.

How to check group policy settings:

  1. Open gpedit.msc to access the Local Group Policy Editor.
  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  3. Check policies like “Deny log on through Remote Desktop Services” to ensure the user isn’t listed there.Deny log on through Remote Desktop Services Windows 11
  4. If the user is listed, remove them to grant RDP access.A user account restriction is preventing you from logging in

6. Password complexity requirements

Windows can have policies that enforce strong password complexity rules. If the account’s password doesn’t adhere to these rules, RDP connections might be denied.

How to check password policies:

  1. Press Windows + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
  3. Review the policies, especially “Password must meet complexity requirements.” If it’s enabled, passwords must adhere to specific rules, such as the inclusion of uppercase and lowercase letters, numbers, and special symbols.Windows 11 Remote Desktop Password must meet complexity requirements

Conclusion

When encountering the error “A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support,” it’s frequently linked to a user account not having a set password. In many instances, merely establishing a password for the user in question or permitting RDP logins with blank passwords can resolve the issue. This often addresses the core of the problem, especially for non-domain environments.

However, when working within a domain setting, the error can be triggered by several reasons, including time-of-day restrictions, Group Policy configurations, or specific user-rights assignments. It’s essential to carefully review and address each potential cause.



Nyau Wai Hoe
Nyau Wai Hoe is the Founder and Chief Editor of WindowsDigitals.com. With a degree in software engineering and over 12 years of experience in the tech support industry, Nyau has established himself as an expert in the field, with a primary focus on the Microsoft Windows operating system. As a tech enthusiast, he loves exploring new technologies and leveraging them to solve real-life problems.

Share via
Copy link