Remote Desktop Connection (RDP) is a powerful feature in Windows 11 and Windows 10, allowing users to connect to a computer remotely. However, at times, users might encounter errors that prevent them from accessing a system using RDP. One such common error message reads: “A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.” This article aims to provide in-depth solutions for resolving this error, prioritizing methods related to setting a password for the user account, disabling the blank password check, and then covering other potential solutions.
Also see: Windows 11 Remote Desktop “An authentication error has occurred”
Page Contents
Fixing “A user account restriction” error in Remote Desktop
1. Setting a password for the user account
One of the most common reasons for encountering the RDP error related to user account restrictions is attempting to remotely connect to an account that has no password set. RDP has a security feature that, by default, denies remote access to accounts with blank passwords.
How to set a password for the user:
- Press the Windows key or click on the Start button.
- Type “Computer Management” and select it from the results to open.
- In the Computer Management window, expand the System Tools tab.
- Click on Local Users and Groups, then select Users.
- Locate and right-click the user account you want to set a password for, and choose Set Password.
- Read the warning prompt, click Proceed, then enter the new password, confirm it, and click OK.
By ensuring all accounts have a password, you not only solve the RDP issue but also enhance the security of the system.
Related resource: Disable Network Level Authentication in Windows 11 or 10
2. Allow blank passwords for Remote Desktop Connection
If for some reason you wish to allow RDP connections to accounts with blank passwords, you can disable the blank password check. This can be done through either the Local Group Policy Editor or the Registry Editor. However, please be cautious as this reduces the security of the system.
Using local group policy editor:
- Press Windows + R, type
gpedit.msc
, and press Enter to open the Local Group Policy Editor. - Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Locate the policy named “Accounts: Limit local account use of blank passwords to console logon only” and double-click on it.
- Change the setting to Disabled.
- Click OK and close the Local Group Policy Editor.
- To apply the changes immediately, open Command Prompt and type
gpupdate /force
and press Enter.
Using registry editor:
- Press Windows + R, type
regedit
, and press Enter to open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa.
- Find the DWORD named LimitBlankPasswordUse. If it doesn’t exist, right-click, select New, then DWORD (32-bit) Value, and name it LimitBlankPasswordUse.
- Double-click on LimitBlankPasswordUse and set its value to 0.
- Close the Registry Editor and restart your computer for changes to take effect.
Note: It’s important to backup your registry before making any changes. Modifying the registry incorrectly can lead to system instability or malfunctions.
Pro tip: How to Open an RDP Connection via CMD in Windows 11
3. Time-of-day restrictions
Sometimes, administrators set time-of-day restrictions to limit when certain users can log into the system. If you’re trying to access the system outside these allowed hours, you’ll encounter the “A user account restriction” RDP error. The option to set login hours is primarily a feature available for domain user accounts through Active Directory Users and Computers on a domain controller.
How to check and modify login hours:
- Open Active Directory Users and Computers.
- Locate the user’s account, right-click, and select Properties.
- Go to the Account tab and click on Logon Hours to view or adjust the permissible times.
4. Account is locked out
Multiple failed login attempts can result in an account being locked out for security reasons.
How to address account lockout:
- On the Remote Computer:
- Press Windows + R, type
lusrmgr.msc
, and press Enter to open Local Users and Groups. - Click on Users, then double-click on the account you’re concerned about.
- Ensure the Account is locked out option is unchecked.
- Press Windows + R, type
- On a Domain Controller:
- Open Active Directory Users and Computers.
- Find and right-click on the user’s account, then choose Properties.
- Navigate to the Account tab and ensure the Account is locked out option is unchecked.
Related guide: How to Remote Desktop Over The Internet in Windows 11
5. Group policy restrictions
There might be Group Policy settings that are restricting RDP access either for the user or the machine.
How to check group policy settings:
- Open
gpedit.msc
to access the Local Group Policy Editor. - Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Check policies like “Deny log on through Remote Desktop Services” to ensure the user isn’t listed there.
- If the user is listed, remove them to grant RDP access.
6. Password complexity requirements
Windows can have policies that enforce strong password complexity rules. If the account’s password doesn’t adhere to these rules, RDP connections might be denied.
How to check password policies:
- Press Windows + R, type
gpedit.msc
, and press Enter to open the Local Group Policy Editor. - Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
- Review the policies, especially “Password must meet complexity requirements.” If it’s enabled, passwords must adhere to specific rules, such as the inclusion of uppercase and lowercase letters, numbers, and special symbols.
Conclusion
When encountering the error “A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support,” it’s frequently linked to a user account not having a set password. In many instances, merely establishing a password for the user in question or permitting RDP logins with blank passwords can resolve the issue. This often addresses the core of the problem, especially for non-domain environments.
However, when working within a domain setting, the error can be triggered by several reasons, including time-of-day restrictions, Group Policy configurations, or specific user-rights assignments. It’s essential to carefully review and address each potential cause.