How to Stop Your Windows VPS Administrator Account from Locking (RDP Lockout Fix)
Overview
Some users may find their Windows VPS Administrator account becomes locked, even if they haven’t entered the wrong password.
This happens because automated bots on the internet continuously try to log in through RDP (port 3389). When the system detects too many failed login attempts, it automatically locks the Administrator account for a period of time — or until it’s manually unlocked.
Affected Windows Versions
This issue primarily affects Windows Server 2025 and occasionally Windows Server 2022, due to new default security policies introduced by Microsoft.
| Windows Version | Default Lockout Policy | Issue Seen? | Notes |
|---|---|---|---|
| Windows Server 2025 | Enabled (10 failed attempts → lockout) | ✅ Very common | Based on Windows 11 24H2 kernel — stricter security defaults |
| Windows Server 2022 | Sometimes enabled depending on build | ⚠️ Occasional | May inherit stricter group policies from updated templates |
| Windows Server 2019 | Disabled by default | ❌ Rare | Older kernel and relaxed local security policies |
Starting with Windows Server 2025, Microsoft added new account lockout policies to combat brute-force attacks automatically. However, this behavior can cause inconvenience on VPS environments where RDP is public and bots frequently attempt logins.
Step 1: Disable Account Lockout Policy (Fastest Fix)
To prevent your Administrator account from locking again:
- Log in to your VPS via RDP or VNC.
- Press Windows + R, type secpol.msc , and press Enter.
- Go to Account Policies → Account Lockout Policy.
- Set these values:
- Account lockout duration: 0
- Account lockout threshold: 0
- Reset account lockout counter after: 0
- Click Apply and OK.
This disables Windows’ automatic lockout function completely — so even if bots attempt brute-force logins, the Administrator account will never become locked.
Important: Disabling the policy prevents lockouts but does not stop login attempts. To fully secure RDP, follow the next steps.
Step 2: Restrict RDP Access to Your IP (Recommended)
Limit RDP access to your own IP address to block unwanted connections. Open PowerShell as Administrator and run (replace x.x.x.x with your IP):
New-NetFirewallRule -DisplayName "Block RDP from others" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress Any -Action Block
Add your IP rule first before blocking others to avoid disconnecting yourself.
Step 3: Enable Network Level Authentication (NLA)
NLA ensures users must authenticate before initiating a full RDP session. Run in PowerShell as Administrator:
Restart-Service TermService -Force
Step 4: (Optional) Change the Default RDP Port
Changing the port doesn’t stop attacks but reduces noise from automated scanners. Replace [PORT] and x.x.x.x as needed:
net stop termservice & net start termservice
New-NetFirewallRule -DisplayName "Allow RDP from my IP new port" -Direction Inbound -Protocol TCP -LocalPort [PORT] -RemoteAddress x.x.x.x -Action Allow
New-NetFirewallRule -DisplayName "Block RDP new port others" -Direction Inbound -Protocol TCP -LocalPort [PORT] -RemoteAddress Any -Action Block
Then connect using: yourserverip:[PORT]
Summary
- This issue mainly affects Windows Server 2025 (and sometimes 2022) because of Microsoft’s stricter default lockout policy.
- Disable the policy to stop repeated account lockouts.
- Restrict RDP access and enable NLA for proper protection.
- Optionally change the RDP port for extra security.
Need Help?
If you’d like PrivateByte to apply these security settings to your VPS or assist with RDP hardening, contact us:
Email: [email protected]
Telegram: @PrivateByteSupport
