Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / Unlocking Active Directory User Accounts

March 12, 2024

Unlocking Active Directory User Accounts

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by a user forgetting their password or by an application trying to use a previous (saved) password for authentication after the user has changed it.

Contents:
  • Account Lockout Policy in Active Directory
  • How to Unlock a User Account Using the Active Directory Console (ADUC)
  • Unlock AD Accounts Using PowerShell

Account Lockout Policy in Active Directory

User account lockout is enabled in the default security policies of an Active Directory domain.

Typically, user lockout settings are configured in the Default Domain Policy GPO (Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy). There are three options:

  • Account lockout threshold – the number of failed attempts to enter a password, after which the user will be locked out;
  • Account lockout duration – how long the user remains locked out (in minutes). A user is then automatically unlocked;
  • Reset account lockout counter after – the number of minutes after which the failed login counter is reset.

Active Directory Account Lockout Policy

These lockout settings apply to all domain users, except for groups that have been assigned special settings using Fine-Grained Password Policies.

Learn more about password policies in AD.

The Microsoft security baselines recommend that users should be locked out after 10 failed login attempts. This is considered optimal for protecting against password brute-force and DoS attacks, and is convenient for users who often make mistakes when entering their passwords.

The default password policy in Entra ID (ex. Azure AD) locks a user account after 10 failed attempts to log in.

How to Unlock a User Account Using the Active Directory Console (ADUC)

If a user account is locked out, you will see the message below when trying to log on to Windows:

The referenced account is currently locked out and may not be logged on to.

The referenced account is currently locked out and may not be logged on to.

If a domain user frequently complains that their account is locked out, you can find a computer and process that are constantly causing lockouts by looking for event IDs 4740 and 4625 in the Primary Domain Controller security log (see How to find account lockout source in Active Directory).

A user will not be able to log on to Windows until the lockout period expires or an administrator manually unlocks the account.

You can unlock a user using the Active Directory Users and Computers (ADUC) graphical console:

  1. Open the dsa.msc console and find the AD user you want to unlock;
  2. Click the Account tab. If the user is locked, there should be a message here Unlock account. This account is currently locked out on this Active Directory Domain Controller;
  3. Check this option and click OK to save the changes;
  4. The user account is unlocked and may be used to log on domain. Unlock user with ADUC

By default, only domain admins can unlock users in AD. You can delegate unlock permissions to non-admin users so that they can unlock accounts.

  1. Click the Organization Unit (OU) containing the users you want to delegate permissions to and select Delegate Control; Delegate AD permissions
  2. Select a group of users you want to grant permissions to (for example, nyHelpDesk);
  3. Then select Create a custom task -> Only the following objects in the folder -> User objects;
  4. In the list of permissions, tick the Write lockoutTime box; Write lockoutTime permission
  5. Now members of the nyHelpDesk group can unlock users.

You can enable an audit policy that allows you to find out who unlocked a user account:

  1. Enable the Audit User Account Management policy in Default Domain Controller GPO (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management);
  2. You can then track user unlock events by looking for EventID 4767 in the Security log on the domain controller (A user account was unlocked); EventID 4767 A user account was unlocked
  3. You can also use PowerShell to find events by event ID:
    Get-WinEvent -FilterHashtable @{logname='Security';id=4767}|ft TimeCreated,Id,Message

Get-WinEvent search for lockout events

Increase Event Viewer log size on domain controllers to store more events.

Unlock AD Accounts Using PowerShell

You can use the Unlock-ADAccount PowerShell cmdlet to unlock AD users. This cmdlet is included in the AD Module for Windows PowerShell.

Check that the user is locked (Lockedout = true):

Get-ADUser -Identity j.brion -Properties LockedOut,DisplayName | Select-Object samaccountName, displayName,Lockedout

Unlock the AD user with the command:

Unlock-ADAccount j.brion

Unlock-ADAccount PowerShell

You can use PowerShell to view the lockout time, the last logon date, and the date that the user’s password was changed:

Get-ADUser j.brion -Properties Name,Lockedout, lastLogonTimestamp,lockoutTime,pwdLastSet | Select-Object Name, Lockedout,@{n='LastLogon';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}},@{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}

Get-ADUser - get lockouttime

You can use the Search-ADAccount cmdlet to find all the locked users in the domain:

Search-ADAccount -UsersOnly -lockedout

With a simple PowerShell one-liner, you can unlock all domain users at once:

Search-ADAccount -UsersOnly -lockedout| Unlock-ADAccount

0 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesPowerShell
previous post
How to Enable Wake-on-LAN (WOL) in Linux
next post
Deploying Third Party Software Updates with WSUS

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

Managing Windows Firewall Rules with PowerShell

March 11, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

How to Force Remove a Printer That Won’t...

March 15, 2024

Installing Language Pack in Windows 10/11 with PowerShell

September 20, 2023

Updating PowerShell Version on Windows

March 12, 2024

How to Assign (Passthrough) a Physical GPU to...

June 11, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Allow Non-admin Users RDP Access to Windows Server
  • Refresh AD Groups Membership without Reboot/Logoff
  • How to Disable NTLM Authentication in Windows Domain
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server
  • How to Add, Set, Delete, or Import Registry Keys via GPO
  • How to Reset Active Directory Domain Admin Password
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top