A user account in Active Directory is locked if a user incorrectly typed the password several times in a row. In this article, we will show you how to find and unlock an account of one user or all locked AD domain users at once.
The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section
Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
In our Active Directory domain, this policy is configured as follows:
- Account lockout threshold – 30 minutes;
- Account lockout duration – 10 invalid logon attempts;
- Reset account lockout counter after – 10 minutes.
In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot login to the domain under account with the error “1909: The referenced account is currently locked out and may not be logged on to”.
The domain administrator can prematurely unlock the user account so that he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).
To unlock a user’s account, find AD user object, open the properties, go to the Account tab, check “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.
However, you can unlock your user account in Active Directory much faster using PowerShell cli.
To do this, you will need to install the module Active Directory module for Windows PowerShell.
On Windows Server, you can install it with the command:
Add-WindowsFeature RSAT-AD-Powershell
Check that the user account is locked. To do this, run the following PowerShell one-liner:
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize
The account is locked (Lockedout=True).
To unlock a user account, you can use the cmdlet:
Unlock-ADAccount bjackson –Confirm
To confirm unlock account press Y, then Enter.
You can also use the following syntax:
Get-ADUser -Identity bjackson | Unlock-ADAccount
Check that this account is now unlocked (Lockedout=True):
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout
Now the user can login to the domain computer or server under his account.
You can quickly find all locked user accounts in the domain. Use this PowerShell command:
Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout
To unlock all users found, use the command:
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)