- Account Restrictions Are Preventing This User From Signing In Windows Server 2012
- Account Restrictions Are Preventing This User From Signing In Windows 10
- Account Restrictions Are Preventing This User From Signing In Google Chrome
- Account Restrictions Are Preventing This User From Signing In Run As Different User
- Account Restrictions Are Preventing This User From Signing In
- Account Restrictions Are Preventing This User From Signing In Windows 10
Hello World,
In the previous post, we have describe a small issue that user can encounter when using mstsc.exe and switches tool in the wrong way. In this post, a end user and an administrator can be blocked in their attempt to use the Remote Desktop Services technology if you security guys have hardened too much your servers and workstations.
Let’s quickly explain the problem and the quick fix to such situation…..
Account restrictions are preventing this user from signing in. For example, blank Passwords are not allowed, sign-in times are limited or a policy restriction has been enforced. Click on Picture for Better Resolution.
Account Restrictions Are Preventing This User From Signing In Windows Server 2012
The Problem
- The Accounts: Limit local account use of blank passwords to console logon only policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords.
- Failed to fix-up absolute VHD paths in configuration of virtual machine 'Exchange': Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. (Virtual machine ID E26C9A7B-8DDC-4775-AD85-13F2AACF51AF) CAUSE.
We have been deploying 2012 R2 RDS infrastructure and some of the administrators need time to time to perform Remote Desktop Connection to other servers for administration purposes. The user with administrative rights was trying to perform a remote desktop connection from a Windows 2012 server and it failed with the following error message
Account restrictions are preventing this user from signing in. For example, blank Passwords are not allowed, sign-in times are limited or a policy restriction has been enforced.
Click on Picture for Better Resolution
If you have deployed Windows 8 (or later) in your infrastructure, end users accessing the RemoteApp infrastructure might also end up with the same situation.
As a first debug steps, the user had checked that
- password was not blank
- password was not expired or locked out
- rights to access remotely servers was granted
Everything was OK and still it was not able to connect to the server…What’s was happening ?
The Solution
Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. As I said, our security team (more focused on blocking access to system than helping us in providing good service to our customers) decided without discussing with us to apply this new group policy settings.
As you can see in the screenshot below, there is indeed a new settings available since Windows 8/Windows 2012 and later called “Restrict delegation of Credentials to remote Servers”.
Click on Picture for Better Resolution
When this setting is enabled on the machine from which you are trying to launch the remote desktop client (and not on the target remote server), you will receive the error message we have seen above.
So, if you encounter such message and you are using recent operating system, you can be sure that your security team has been messing around with this new GPO.
Final Notes
Implementing new group policies without testing and coordinating between teams can have an important impact on your infrastructure. In our case, we had users not being able to connect to the RemoteApp infrastructure because of this Group policy setting. As we are working in a large and distributed environment, it took us about 5 hours to revert back to a normal situation.
We were not happy with this change…
Now, you know as well. so, if you ever got this kind of error message, you know what to do (disable this gpo and you should be good to go !)
Till next time
See ya
Lesson 9: Managing User Accounts and Parental Controls
/en/windows10/making-windows-10-feel-more-familiar/content/
Managing user accounts and parental controls
Account Restrictions Are Preventing This User From Signing In Windows 10
A user account allows you to sign in to Windows 10. By default, your computer already has one user account, which you were required to create when setting up Windows for the first time. But if you plan to share your computer, you can create a separate user account for each member of your home or office.
Connecting users to a Microsoft account will help them get the most out of Windows. But if a user prefers not to create a Microsoft account, you can also add a local user account that exists only on your computer.
Watch the video below to learn more about creating and managing user accounts:
Note that you must be signed in as an Administrator (the first user account created on your computer) to add a new user.
To add a new user (with a Microsoft account):
- Open the Settings app, then select Accounts.
- Select Family & other users. Scroll down to the Other Users section, then choose Add someone else to this PC.
- If the new user already has a Microsoft account, enter the associated email address, then click Next.
- The user can then sign in to the computer with his or her Microsoft account information. Note that it may take several minutes to configure a user's settings when logging in with a Microsoft account for the first time.
To add a new local user (without a Microsoft account):
- From the Account settings, click Add someone else to this PC.
- Select The person I want to add doesn't have an email address.
- The account creation screen will appear. Select Add a user without a Microsoft account.
- Enter an account name, then type the desired password. It's important to choose a strong password—in other words, one that is easy to remember but difficult for others to guess. For more information, check out Password Tips in our Tech Savvy Tips and Tricks tutorial. When you're finished, click Next.
- The local user can then sign in to the computer with this account information.
Signing out and switching users
If you're finished using your account, you can sign out. To do this, click the Start button, select the current account in the top-left corner, then choose Sign out. Other users will then be able to sign in from the lock screen.
It's also easy to switchbetween users without signing out or closing your current apps. Switching users will lock the current user, so you won't need to worry about someone else accessing your account. To do this, select the current account, then choose the desired user from the drop-down menu. You can use this same method to switch back to the other user.
Managing user accounts
By default, the user account you created when setting up your computer is an Administrator account. An Administrator account allows you to make top-level changes to the computer, like adding new users or modifying specific settings. Any users you add are automatically assigned to a Standard user account, which should meet the everyday needs of most users. You will probably only need one Administrator account on a shared computer, but you have the option to promote any user to an Administrator account if you want.
- From the Family & other users options, select the desired user, then click Change account type.
- Select the desired option from the drop-down list, then click OK. In this example, we'll choose Administrator.
- The user will now have administrative privileges.
Setting parental controls
Windows offers a variety of parental controls that can help you monitor your children's activity and protect them from inappropriate content. For example, you can restrictcertain apps and websites or limit the amount of time a user can spend on the computer. You'll need to add a family account for each user you want to monitor. Each user will also need to have a Microsoft account; you cannot enable parental controls on a local account.
- From the Family & other users options, select Add a family member.
- Select Add a child, enter the new user's email address, then click Next.
- The new member will then need to confirm the addition to your family group from his or her inbox.
- Once this is done, select Manage family settings online.
- A page will open in a new browser window. From here, select the desired user to set parental controls.
Click the buttons in the interactive below to learn more about setting parental controls:
Screen time
From here, you can limit the amount of time a child can spend on the computer.
Apps & games
Account Restrictions Are Preventing This User From Signing In Google Chrome
From here, you can set general restrictions and age limits for apps and games downloaded from the Windows store.
Web browsing
Account Restrictions Are Preventing This User From Signing In Run As Different User
From here, you can enable web browsing preferences. For example, you can choose to block inappropriate websites by default. You can also approve certain sites so they won't be blocked by the filter.
Recent Activity
Account Restrictions Are Preventing This User From Signing In
From here, you'll see a general summary of a child's activity, like the websites visited and the total amount of time spent on the computer.
Account Restrictions Are Preventing This User From Signing In Windows 10
/en/windows10/security-and-maintenance/content/