0X000004D7

Fix ERROR_LOGIN_TIME_RESTRICTION (0X000004D7)

Windows Errors Intermediate 👁 1 views 📅 Jun 9, 2026

This error means your account is blocked from logging in during certain hours. It's a domain policy, not a Windows bug. Here's exactly how to fix it.

1. Your Logon Hours Are Set Too Restrictively (Most Common)

This error means someone — usually a domain admin — has set logon hours on your Active Directory account. You're trying to log in at a time that's blocked. 9 times out of 10, this is it.

The fix is to check your own account's logon hours first, so you know exactly what's allowed. Then you can either wait or ask for a change.

Check your logon hours (Windows 10/11, domain-joined)

  1. Press Win + R, type cmd, and hit Enter. A black command prompt opens.
  2. Type this command exactly:
    net user %username% /domain
  3. Hit Enter. It will take a few seconds. You'll see a wall of text about your account.
  4. Look for the line that says Logon hours. It shows a grid. Days run across the top (Sunday through Saturday). Hours run down the left side. Each cell is either Allowed or Denied.

If you see Denied for the current time, that's the cause. For example, say your hours are Monday 8 AM to 6 PM only. If you try to log in at 7 PM Monday, you get error 0x000004D7.

What to do now

  • Wait until an allowed hour (fastest fix if you can).
  • Ask your IT admin to expand your logon hours. They can do this from Active Directory Users and Computers (ADUC) or with PowerShell. The command they'd use: 
    net user username /time:M-F,08:00-20:00 /domain
    That sets Monday through Friday, 8 AM to 8 PM.

One real-world trigger: A hospital nurse working a 7 PM to 7 AM shift tried to clock in at 6:30 PM. Her account was locked to 7 AM–6 PM. The admin ran the net user command above with 7 PM–7 AM hours. Problem solved in 2 minutes.

2. The Domain Policy Has Changed and Your Account Hasn't Updated

Sometimes the server's logon hours policy was just updated (pushed via Group Policy), but your workstation hasn't pulled the new settings yet. This is common after a domain admin makes changes and you've been logged in for days without rebooting.

The fix here is to force a Group Policy update on your machine. You don't need admin rights for this — any domain user can do it.

Force Group Policy update

  1. Open Command Prompt as administrator. Or if you're not an admin, just open it normally (some versions of Windows let you run gpupdate without admin privileges).
  2. Type: 
    gpupdate /force
  3. Wait for it to finish. You'll see a message like "Computer Policy update has completed successfully."
  4. Now restart your computer. After reboot, try logging in again.

If that doesn't work, run gpresult /r in the command prompt. It shows which Group Policies applied. Look for any policy named "Logon hours" or similar. If you see nothing, the policy might be set at a higher level (like the domain root) and your account is getting blocked by something else — move to cause #3.

3. The Logon Hours Policy Is Set at the Domain Level and You're Not in the Right Group

Less common but tricky: The domain admin may have set a fine-grained password policy or logon hours policy on a specific security group. If you were recently removed from that group (or added to a group with tighter restrictions), your logon hours can change without any direct notice.

This is a server-side issue. You can't fix this from your workstation. Here's what to do:

Ask an admin to check your group membership and logon hours

  1. The admin needs to open Active Directory Users and Computers (ADUC) on a domain controller or management workstation.
  2. Find your user object, right-click it, and select Properties.
  3. Go to the Account tab. Look at the Logon Hours button. Click it. That shows the exact grid of allowed/denied times.
  4. If everything looks fine there, the admin should check Group Policy Management. Look for policies linked to your account's OU or any filtered security groups.
  5. Run gpresult /scope user /v on your machine (with your account logged in). That shows which GPOs apply to you. The admin can compare it to the policy on the server.

Real-world example: A user was in the "Night Shift" group that allowed 24/7 logon. An admin accidentally moved them to the "Day Staff" group with 8 AM–6 PM hours. The user got error 0x000004D7 at 7 PM. Took 10 minutes to find the group membership change. Moved them back. Fixed.

Quick-Reference Summary Table

Cause What to Do Time to Fix Who Can Fix It
Your logon hours are too restrictive Check with net user %username% /domain, then wait or ask admin to expand hours 2–5 minutes You can check; admin must change
Group Policy hasn't updated on your machine Run gpupdate /force and restart 5 minutes You (no admin rights needed)
You're in the wrong security group Admin checks AD group membership and logon hours policy 10–20 minutes Admin only

That's it. Most people hit cause #1. Check that first. If it's not that, move to cause #2. And if you're still stuck, it's cause #3 — a deeper server-side issue that needs an admin. Don't waste time reformatting or reinstalling Windows. This is purely a policy problem.

Was this solution helpful?

ERROR_LOGIN_TIME_RESTRICTION 0X000004D7 login time restriction logon hours restriction domain logon hours user cannot log in at this time active directory logon hours windows login restriction net user logon hours lockout time windows unauthorized time of day logon hours policy domain user login blocked fix 0x000004d7 login time restriction windows 10 login time restriction windows 11