{"id":9117,"date":"2024-02-13T15:08:12","date_gmt":"2024-02-13T15:08:12","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/the-procedure-for-unlocking-user-accounts-in-active-directory\/"},"modified":"2025-03-31T14:55:52","modified_gmt":"2025-03-31T14:55:52","slug":"the-procedure-for-unlocking-user-accounts-in-active-directory","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/the-procedure-for-unlocking-user-accounts-in-active-directory\/","title":{"rendered":"The Procedure for Unlocking User Accounts in Active Directory"},"content":{"rendered":"<p>A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by a user forgetting their password or by an application trying to use a previous (saved) password for authentication after the user has changed it.<\/p>\n<h2>Account Lockout Policy in Active Directory<\/h2>\n<p>User account lockout is enabled in the default security policies of an Active Directory domain.<\/p>\n<p>Normally, the settings for user lockout are set up in the <code>Default Domain Policy<\/code> GPO (<strong>Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Account Policy -&gt; Account Lockout Policy<\/strong>). There are three settings available:<\/p>\n<ul>\n<li><strong>Account lockout threshold<\/strong> \u2013 the number of unsuccessful attempts allowed for password entry, after which the user&#8217;s account gets locked;<\/li>\n<li><strong>Account lockout duration<\/strong> \u2013 the amount of time in minutes that the user&#8217;s account stays locked. Once this duration expired, the user\u2019s account will be unlocked automatically;<\/li>\n<li><strong>Reset account lockout counter after<\/strong> \u2013 the number of minutes after which the failed log-in attempts counter is reset.<\/li>\n<\/ul>\n<p>All these lockout settings are applicable on all domain users, apart from groups that have certain special settings applied using Fine-Grained Password Policies.<\/p>\n<p>Gain more knowledge about password policies in AD.<\/p>\n<p>The Microsoft security baselines recommend that users should be locked out after 10 failed login attempts. This is considered optimal for protecting against password brute-force and DoS attacks, and is convenient for users who often make mistakes when entering their passwords.<\/p>\n<p>The default password policy in Entra ID (ex. Azure AD) locks a user account after 10 failed attempts to log in.<\/p>\n<h2>How to Unlock a User Account Using the Active Directory Console (ADUC)<\/h2>\n<p>If a user account is locked out, you will see the message below when trying to log on to Windows:<\/p>\n<pre>The referenced account is currently locked out and may not be logged on to.<\/pre>\n<p>If a domain user frequently complains that their account is locked out, you can find a computer and process that are constantly causing lockouts by looking for event IDs <strong>4740<\/strong> and <strong>4625<\/strong> in the Primary Domain Controller security log (see How to find account lockout source in Active Directory).<\/p>\n<p>A user will not be able to log on to Windows until the lockout period expires or an administrator manually unlocks the account.<\/p>\n<p>You can unlock a user using the Active Directory Users and Computers (ADUC) graphical console:<\/p>\n<ol>\n<li>Open the <code>dsa.msc<\/code> console and find the AD user you want to unlock;<\/li>\n<li>Click the Account tab. If the user is locked, there should be a message here <code>Unlock account. This account is currently locked out on this Active Directory Domain Controller<\/code>;<\/li>\n<li>Check this option and click OK to save the changes;<\/li>\n<li>The user account is unlocked and may be used to log on domain.<\/li>\n<\/ol>\n<p>By default, only domain admins can unlock users in AD. You can delegate unlock permissions to non-admin users so that they can unlock accounts.<\/p>\n<ol>\n<li>Click the Organization Unit (OU) containing the users you want to delegate permissions to and select Delegate Control;<\/li>\n<li>Select a group of users you want to grant permissions to (for example, nyHelpDesk);<\/li>\n<li>Then select Create a custom task -&gt; Only the following objects in the folder -&gt; User objects;<\/li>\n<li>In the list of permissions, tick the Write lockoutTime box;<\/li>\n<li>Now members of the nyHelpDesk group can unlock users.<\/li>\n<\/ol>\n<p>You can enable an audit policy that allows you to find out who unlocked a user account:<\/p>\n<ol>\n<li>Enable the <strong>Audit User Account Management<\/strong> policy in <code>Default Domain Controller<\/code> GPO (Computer Configuration -&gt; Policies -&gt; Windows Settings -&gt; Security Settings -&gt; Advanced Audit Policy Configuration -&gt; Audit Policies -&gt; Account Management);<\/li>\n<li>You can then track user unlock events by looking for EventID <strong>4767<\/strong> in the <strong>Security<\/strong> log on the domain controller (<code>A user account was unlocked<\/code>);<\/li>\n<li>You can also use PowerShell to find events by event ID:<br \/>\n<code>Get-WinEvent -FilterHashtable @{logname='Security';id=4767}|ft TimeCreated,Id,Message<\/code><\/li>\n<\/ol>\n<p>Increase Event Viewer log size on domain controllers to store more events.<\/p>\n<h2>Unlock AD Accounts Using PowerShell<\/h2>\n<p>You can use the <code>Unlock-ADAccount<\/code> PowerShell cmdlet to unlock AD users. This cmdlet is included in the AD Module for Windows PowerShell.<\/p>\n<p>Check that the user is locked (<code>Lockedout = true<\/code>):<\/p>\n<p><code>Get-ADUser -Identity j.brion -Properties LockedOut,DisplayName | Select-Object samaccountName, displayName,Lockedout<\/code><\/p>\n<p>Unlock the AD user with the command:<\/p>\n<p><code>Unlock-ADAccount j.brion<\/code><\/p>\n<p>You can use PowerShell to view the lockout time, the last logon date, and the date that the user\u2019s password was changed:<\/p>\n<p>&lt;code&gt;Get-ADUser j.brion -Properties Name,Lockedout, lastLogonTimestamp,lockoutTime,pwdLastSet | Select-Object Name, Lockedout,@{n=&#8217;LastLogon&#8217;;e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n=&#8217;lockoutTime&#8217;;e={[DateTime]::FromFileTime($_.lockoutTime)}},@{n=&#8217;pwdLastSet&#8217;;e={[DateTime]::FromFileTime($_.pwdLastSet)}}&lt;\/code&gt;<\/p>\n<p>You can use the &lt;a href=&#8221;https:\/\/woshub.com\/how-to-find-blocked-disabled-or-inactive-objects-in-ad-using-search-adaccount\/&#8221; rel=&#8221;nofollow&#8221; target=&#8221;_blank&#8221;&gt;Search-ADAccount cmdlet&lt;\/a&gt; to find all the locked users in the domain:<\/p>\n<p>&lt;code&gt;Search-ADAccount -UsersOnly -lockedout&lt;\/code&gt;<\/p>\n<p>With a simple PowerShell one-liner, you can unlock all domain users at once:<\/p>\n<p><code>Search-ADAccount -UsersOnly -lockedout| Unlock-ADAccount<\/code><\/p>\n<div><\/div>\n<div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by a user forgetting their password or by an application trying to use a previous (saved) password for authentication after the user has changed it. Account [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9118,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,143,117],"tags":[],"class_list":["post-9117","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-group-policies","category-powershell"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=9117"}],"version-history":[{"count":3,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9117\/revisions"}],"predecessor-version":[{"id":10703,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9117\/revisions\/10703"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/9118"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=9117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=9117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=9117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}