Windows OS Hub / PowerShell / Unlocking Active Directory User Accounts

March 12, 2024 Active DirectoryGroup PoliciesPowerShell

Unlocking Active Directory User Accounts

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by a user forgetting their password or by an application trying to use a previous (saved) password for authentication after the user has changed it.

Contents:

Account Lockout Policy in Active Directory

User account lockout is enabled in the default security policies of an Active Directory domain.

Typically, user lockout settings are configured in the Default Domain Policy GPO (Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy). There are three options:

  • Account lockout threshold – the number of failed attempts to enter a password, after which the user will be locked out;
  • Account lockout duration – how long the user remains locked out (in minutes). A user is then automatically unlocked;
  • Reset account lockout counter after – the number of minutes after which the failed login counter is reset.

Active Directory Account Lockout Policy

These lockout settings apply to all domain users, except for groups that have been assigned special settings using Fine-Grained Password Policies.

Learn more about password policies in AD.

The Microsoft security baselines recommend that users should be locked out after 10 failed login attempts. This is considered optimal for protecting against password brute-force and DoS attacks, and is convenient for users who often make mistakes when entering their passwords.

The default password policy in Entra ID (ex. Azure AD) locks a user account after 10 failed attempts to log in.

How to Unlock a User Account Using the Active Directory Console (ADUC)

If a user account is locked out, you will see the message below when trying to log on to Windows:

The referenced account is currently locked out and may not be logged on to.

The referenced account is currently locked out and may not be logged on to.

If a domain user frequently complains that their account is locked out, you can find a computer and process that are constantly causing lockouts by looking for event IDs 4740 and 4625 in the Primary Domain Controller security log (see How to find account lockout source in Active Directory).

A user will not be able to log on to Windows until the lockout period expires or an administrator manually unlocks the account.

You can unlock a user using the Active Directory Users and Computers (ADUC) graphical console:

  1. Open the dsa.msc console and find the AD user you want to unlock;
  2. Click the Account tab. If the user is locked, there should be a message here Unlock account. This account is currently locked out on this Active Directory Domain Controller;
  3. Check this option and click OK to save the changes;
  4. The user account is unlocked and may be used to log on domain. Unlock user with ADUC

By default, only domain admins can unlock users in AD. You can delegate unlock permissions to non-admin users so that they can unlock accounts.

  1. Click the Organization Unit (OU) containing the users you want to delegate permissions to and select Delegate Control; Delegate AD permissions
  2. Select a group of users you want to grant permissions to (for example, nyHelpDesk);
  3. Then select Create a custom task -> Only the following objects in the folder -> User objects;
  4. In the list of permissions, tick the Write lockoutTime box; Write lockoutTime permission
  5. Now members of the nyHelpDesk group can unlock users.

You can enable an audit policy that allows you to find out who unlocked a user account:

  1. Enable the Audit User Account Management policy in Default Domain Controller GPO (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management);
  2. You can then track user unlock events by looking for EventID 4767 in the Security log on the domain controller (A user account was unlocked); EventID 4767 A user account was unlocked
  3. You can also use PowerShell to find events by event ID:
    Get-WinEvent -FilterHashtable @{logname='Security';id=4767}|ft TimeCreated,Id,Message

Get-WinEvent search for lockout events

Increase Event Viewer log size on domain controllers to store more events.

Unlock AD Accounts Using PowerShell

You can use the Unlock-ADAccount PowerShell cmdlet to unlock AD users. This cmdlet is included in the AD Module for Windows PowerShell.

Check that the user is locked (Lockedout = true):

Get-ADUser -Identity j.brion -Properties LockedOut,DisplayName | Select-Object samaccountName, displayName,Lockedout

Unlock the AD user with the command:

Unlock-ADAccount j.brion

Unlock-ADAccount PowerShell

You can use PowerShell to view the lockout time, the last logon date, and the date that the user’s password was changed:

Get-ADUser j.brion -Properties Name,Lockedout, lastLogonTimestamp,lockoutTime,pwdLastSet | Select-Object Name, Lockedout,@{n='LastLogon';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}},@{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}

Get-ADUser - get lockouttime

You can use the Search-ADAccount cmdlet to find all the locked users in the domain:

Search-ADAccount -UsersOnly -lockedout

With a simple PowerShell one-liner, you can unlock all domain users at once:

Search-ADAccount -UsersOnly -lockedout| Unlock-ADAccount

0 comment
1
Facebook Twitter Google + Pinterest

Related Reading

Check the Software Installation/Removal History in Windows

October 8, 2024

Validating AD User Credentials with PowerShell

October 8, 2024

Run PowerShell Scripts on a Schedule with Task...

October 3, 2024

Configure Kiosk Mode on Windows 11 (Single or...

September 24, 2024

Mapping SharePoint Online Library as Network Drive in...

July 15, 2024

Leave a Comment