Fix: “An administrator has restricted sign in” on Windows

Hamza Mohammad AnwarPublished on August 16, 2025
Hamza is a certified Technical Support Engineer.

The error message “An administrator has restricted sign-in” indicates that the account has been intentionally blocked from logging in. Unlike disabled accounts, which may sometimes allow limited access in Safe Mode, a restricted sign in can completely prevent login until the restriction or underlying policy is removed. This is a system level block, often triggered by security policies such as Find My Device locks, Group Policy settings, or Conditional Access rules.

Another frequent reason is a restriction applied by IT through Group Policy, Microsoft Intune, or Microsoft Entra ID Conditional Access. These rules can block logins based on device, location, or compliance status. In some cases, remote access tools such as Remote Desktop Protocol (RDP) also deny connections if policies or group memberships restrict the account.

Before You Begin

  • From the Windows sign in screen, connect to the internet using the network icon or plug in Ethernet, then retry.
  • Confirm that you are using the same Microsoft account that is linked to the device if it is a personal PC.
  • If this is an organization managed device, your IT policy may enforce the restriction. Contact your administrator if the same message appears on multiple accounts.

Below are solutions to resolve the problem.

1. Check If Your Device Is Remotely Locked

If your device is locked remotely, entering the correct credentials may not progress past the lock screen until the local unlock clears the restricted state. This lock is a security feature designed to prevent unauthorized access when a device is lost or stolen. Clearing the remote lock restores normal authentication and sign in functionality.

  1. On another device, open a browser and go to the official Microsoft Find My Device page.
  2. Sign in with the same Microsoft account linked to the locked PC.
  3. Click the menu (hamburger icon) in the top left corner, then select “Devices”.
  4. Locate the locked device and click on Find My Device.
  5. Check the status to confirm whether it is locked or unlocked.
  6. If status shows Locked, return to the device and unlock on the device using your PIN, password, or biometrics. If the lock does not clear and you remain blocked, open Windows Recovery Environment from the sign in screen, choose Troubleshoot, then use Reset this PC as a last resort.

2. Unrestrict Account via Group Policy

When deny policies are applied to a user, the system blocks interactive logins, RDP access, or network authentication. Removing these deny rules ensures the system recalculates the account logon rights without the restriction, allowing sign in again. Windows enforces effective rights from all applied policies, and refreshing the policy state removes the block.

Use this method when a local or domain policy is blocking sign in. It does not apply to a remote lock scenario.

Note: gpedit.msc and many security policy consoles are available on Windows Pro, Enterprise, and Education. They are not available on Windows Home by default. On domain joined or MDM managed devices, central policy may override your local changes.

  1. Sign in to the device with another administrator account.
  2. Press Windows + R to open the Run dialog.
  3. Type the following command and press Enter:
    gpedit.msc

  4. In the left panel, navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  5. In the right panel, double click “Deny log on locally”.
  6. Select the affected user from the list and click Remove.
  7. Click Apply, then OK to confirm.
  8. Repeat this for “Deny log on through Remote Desktop Services” and “Deny access to this computer from the network”.
  9. Also confirm the account has the matching allow rights: “Allow log on locally” or “Allow log on through Remote Desktop Services”, and that it belongs to the correct groups such as Administrators or Remote Desktop Users when needed.
  10. Open the Start menu, search for CMD, and run it as an administrator.
  11. Type the following command and press Enter to refresh group policies:
    gpupdate /force

  12. If sign in is still blocked, generate a policy report to find which GPO enforces the deny setting:
    gpresult /h C:\gp.html

    Open C:\gp.html and search for the three deny policies to identify the source policy. You can also use rsop.msc to view Resultant Set of Policy.

  13. Finally, try signing in again with the affected account.
Hamza Mohammad AnwarPublished on August 16, 2025
Hamza is a certified Technical Support Engineer.
ABOUT THE AUTHOR
Photo of Hamza Mohammad Anwar

Hamza Mohammad Anwar


Hamza Mohammad Anwar is an intermediate JavaScript web developer with a focus on developing high-performance applications using MERN technologies. His skill set includes expertise in ReactJS, MongoDB, Express NodeJS, and other related technologies. Hamza is also a Google IT Certified professional, which highlights his competence in IT support. As an avid problem-solver, he recreates errors on his computer to troubleshoot and find solutions to various technical issues.
Page was generated in 4.2149219512939