How to resolve "user account locked" errors
Symptoms
When you remotely connect to a Windows instance using a tool such as RDP, Workbench, or the Microsoft Remote Desktop app, you receive an error message similar to "The user account has been locked because there were too many logon attempts or password change attempts."
RDP
When you connect by using RDP, the following error message appears: "The user account has been locked because there were too many logon attempts or password change attempts. Please wait a moment and try again, or contact your system administrator or technical support." Click OK to close the dialog box.
Workbench
When you log on to a Windows instance by using Workbench, if you repeatedly enter an incorrect password, an Instance Login Failed dialog box appears, indicating that the account is locked or disabled. You can click the View solutions for a disabled account link for help, wait for a moment and then click Retry, click Connect to the instance by using VNC to switch the connection method, or click Reset Password to reset the instance password.
Windows app
When you connect by using the Microsoft Remote Desktop app, if the user account is locked due to excessive logon or password change attempts, a Couldn't connect error with error code 0xd07 appears. In this case, wait a moment and try again, or contact your network administrator for assistance.
Cause
This issue occurs because a built-in security policy automatically locks the account to prevent brute-force attacks after excessive incorrect password attempts.
-
Multiple incorrect password attempts: The number of failed logon attempts has exceeded the account lockout threshold.
-
Potential brute-force attack: The instance may be vulnerable to an external brute-force attack due to an exposed port. This requires immediate investigation.
Procedure
Step 1: Isolate the instance and block RDP access
Immediately block all external logon attempts to prevent ongoing attacks while you unlock the account.
-
Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target instance.
-
Click the ID of the target instance to open its details page.
-
Click the tab, and then click the security group ID to go to the security group details page.
-
Disable the security group rule for the RDP port.
Delete all inbound rules that allow access to the RDP port (default:
3389), or change their action to Deny.ImportantWe recommend recording the original security group settings before you make changes to restore them later.
Step 2: Log on with VNC to unlock account
A single successful VNC logon automatically unlocks the account.
-
On the instance details page, click . In the VNC section, click Log On.
-
Log on to Windows.
-
In the VNC window, click in the upper-left corner to unlock the screen.
-
Select the user account (default: Administrator), enter the instance password, and then log on to Windows.
If you have not set a password or have forgotten it, you can click More > Reset Instance Password on the instance details page.
-
Step 3: Restore RDP access
Allow RDP access only from trusted IP addresses. If your local machine's public IP address is not fixed, we recommend connecting to your instance using the Workbench terminal or the Alibaba Cloud Client. These tools can automatically configure security group rules and help you avoid frequent manual modifications.
-
Identify the public IP addresses or CIDR blocks that you want to allow.
In a browser, visit
https://cip.ccto obtain the public IP address of your local machine for subsequent security group configuration. -
Manually modify the security group rule.
On the security group details page, on the Inbound rules tab, click Add Rule. Configure a rule to allow only specific public IP addresses or CIDR blocks to connect to the instance over RDP.
Policy
Priority
Protocol
Destination
Source
Allow
1
Custom TCP
RDP (3389)
The default port is 3389. If you changed the port, update this value based on your actual configuration.
Set this to the public IP address or CIDR block you identified.
ImportantNever set the source to
0.0.0.0/0. Exposing the RDP port to the internet makes the instance highly vulnerable to brute-force attacks, which can lead to repeated account lockouts.
Step 4: Verify the RDP connection
Use an RDP client to connect to the instance and verify that you can log on successfully.
Security recommendations
-
Change the default remote port. We recommend that you change the default RDP port from
3389to a non-standard port to reduce the attack surface from port scanning. -
Use strong passwords. Set complex passwords and rotate them regularly to mitigate brute-force attacks.