Unlocking Active Directory User Accounts

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by a user forgetting their password or by an application trying to use a previous (saved) password for authentication after the user has changed it.

Account Lockout Policy in Active Directory

User account lockout is enabled in the default security policies of an Active Directory domain.

Typically, user lockout settings are configured in the Default Domain Policy GPO (Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy). There are three options:

• Account lockout threshold – the number of failed attempts to enter a password, after which the user will be locked out;
• Account lockout duration – how long the user remains locked out (in minutes). A user is then automatically unlocked;
• Reset account lockout counter after – the number of minutes after which the failed login counter is reset.

These lockout settings apply to all domain users, except for groups that have been assigned special settings using Fine-Grained Password Policies.

The Microsoft security baselines recommend that users should be locked out after 10 failed login attempts. This is considered optimal for protecting against password brute-force and DoS attacks, and is convenient for users who often make mistakes when entering their passwords.

How to Unlock a User Account Using the Active Directory Console (ADUC)

If a user account is locked out, you will see the message below when trying to log on to Windows:

The referenced account is currently locked out and may not be logged on to.

A user will not be able to log on to Windows until the lockout period expires or an administrator manually unlocks the account.

You can unlock a user using the Active Directory Users and Computers (ADUC) graphical console:

1. Open the dsa.msc console and find the AD user you want to unlock;
2. Click the Account tab. If the user is locked, there should be a message here Unlock account. This account is currently locked out on this Active Directory Domain Controller;
3. Check this option and click OK to save the changes;
4. The user account is unlocked and may be used to log on domain.

By default, only domain admins can unlock users in AD. You can delegate unlock permissions to non-admin users so that they can unlock accounts.

1. Click the Organization Unit (OU) containing the users you want to delegate permissions to and select Delegate Control;
2. Select a group of users you want to grant permissions to (for example, nyHelpDesk);
3. Then select Create a custom task -> Only the following objects in the folder -> User objects;
4. In the list of permissions, tick the Write lockoutTime box;
5. Now members of the nyHelpDesk group can unlock users.

You can enable an audit policy that allows you to find out who unlocked a user account:

1. Enable the Audit User Account Management policy in Default Domain Controller GPO (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management);
2. You can then track user unlock events by looking for EventID 4767 in the Security log on the domain controller (A user account was unlocked);
3. You can also use PowerShell to find events by event ID:
   Get-WinEvent -FilterHashtable @{logname='Security';id=4767}|ft TimeCreated,Id,Message

Unlock AD Accounts Using PowerShell

You can use the Unlock-ADAccount PowerShell cmdlet to unlock AD users. This cmdlet is included in the AD Module for Windows PowerShell.

Check that the user is locked (Lockedout = true):

Get-ADUser -Identity j.brion -Properties LockedOut,DisplayName | Select-Object samaccountName, displayName,Lockedout

Unlock the AD user with the command:

Unlock-ADAccount j.brion

You can use PowerShell to view the lockout time, the last logon date, and the date that the user’s password was changed:

Get-ADUser j.brion -Properties Name,Lockedout, lastLogonTimestamp,lockoutTime,pwdLastSet | Select-Object Name, Lockedout,@{n='LastLogon';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}},@{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}

You can use the Search-ADAccount cmdlet to find all the locked users in the domain:

Search-ADAccount -UsersOnly -lockedout

With a simple PowerShell one-liner, you can unlock all domain users at once:

Search-ADAccount -UsersOnly -lockedout| Unlock-ADAccount