A user account in Active Directory is locked out if the password is typed incorrectly several times in a row and exceeds the maximum number allowed by the account’s password policy. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.
Account Lockout Policy in Active Directory Domain
The threshold for the number of incorrect password attempts and the account lockout time is defined in the Default Domain Policy in the following GPO section: Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
In our Active Directory domain, this policy is configured as follows:
- Account lockout threshold — 30 minutes;
- Account lockout duration — 10 invalid logon attempts;
- Reset account lockout counter after — 10 minutes.
You can use this PowerShell command to quickly find the default settings of the account lockout policy on your domain controller:
Get-ADDefaultDomainPasswordPolicy| select LockoutDuration, LockoutObservationWindow, LockoutThreshold
Note. A LockoutDuration value of 0 means that user accounts in your domain will never be automatically unlocked. Only the domain administrator can remove the lock manually.
If the Fine Grained Password Policy with custom account lockout settings is enabled for the user, you can check the resulting lockout policy settings for the target user with the command:
Get-ADUserResultantPasswordPolicy -Identity j.brion | select-object LockoutDuration, LockoutObservationWindow, LockoutThreshold
In our case, after 10 attempts to enter the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.
You can find out user account lockout events in the Security log on a domain controller with the FSMO PDC Emulator role. To do this, you need to enable auditing of account lockout events in the GPO Default Domain Controller Policy.
Note. You can check our article on how to add UPN suffix in Active Directory or how to configure the Account Lockout GPO settings in the Active Directory domain.
Open the Group Policy Management Console (gpmc.msc), select the Default Domain Controller Policy, and enable the Audit Account Lockout policy (Success and Failure) under the GPO section Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff.
After updating the GPO settings on domain controllers, when an account is locked, the event ID 4740 appears in the Security log in the Event Viewer:
Log Name: Security
Event ID: 4740
Source: Microsoft Windows security auditing.
Task Category: User Account Management
A user account was locked out
The event contains the locked user account name and the computer from which the lock event occurred. The computer name is specified in the Caller Computer Name field.
With a simple PowerShell one-liner, you can quickly view the latest lockout events for your domain users with lockout source computer names:
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4740} | %{([xml]$_.ToXml()).Event.EventData.Data}
Note. See the article at the link for more information about finding the source of user lockouts in Active Directory.
Unlock a Domain User Accounts with ADUC GUI
The domain administrator can prematurely unlock the user’s account so they don’t have to wait for 30 minutes. You can unlock a user account using the Active Directory Users and Computers snap-in (ADUC).
To unlock a user’s account, run the dsa.msc command, find the user object in the ADUC snap-in, open its properties, go to the Account tab, check the option “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.
To unlock the user account, you can also use the Active Directory Administrative Center snap-in (dsac.exe).
- Open the Active Directory Administrative Center;
- Navigate to the container or OU containing the user, or use Search to find the user account.
- Open the user’s properties;
- Click Unlock account and then OK.
You can display all locked users in the ADAC console:
- Click on an arrow button in the right top corner of console;
- Click Add criteria and select “Users with enabled but locked accounts” criteria in the dropdown list;
- Click Add and then Search;
- A list of all locked user accounts will appear in the console. You can select all of them, open Properties and unlock all users at once by clicking Unlock account.
How to Unlock Active Directory User Accounts with PowerShell?
However, you can unlock a user account in Active Directory much faster by using PowerShell CLI.
To do this, you will need to install the PowerShell Active Directory module.
On Windows Server, you can install it with the command:
Add-WindowsFeature RSAT-AD-Powershell
Import the RSAT-AD-Powershell module into your session:
Import-module Active Directory
Check if the user account is locked. To do this, run the following PowerShell one-liner:
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize
The account is locked (Lockedout=True).
The user lockout time can be viewed in the value of the lockoutTime user attribute:
Get-ADUser D.McAllister -Properties Name,lockoutTime | Select-Object Name,@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}}
To unlock a user account, you can use the cmdlet:
Unlock-ADAccount bjackson –Confirm
Press Y to confirm the unlock of the account, then Enter.
You can also use the following syntax:
Get-ADUser -Identity bjackson | Unlock-ADAccount
Check if this account is now unlocked (Lockedout=True):
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout
Now the user can log in to the domain computer or server under his account.
You can quickly find all locked user accounts in the domain. Use this PowerShell command:
Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout
To unlock all users found, use the command:
Search-ADAccount –UsersOnly -Lockedout | Unlock-AdAccount -Confirm
How to Delegate Permissions to Unlock Accounts in Active Directory?
By default, user account locks in Active Directory can only be removed by domain administrators. You can delegate permissions to non-admin users to unlock AD accounts. To do this:
- Create a new allowUnlockAccount Active Directory group in the domain;
- Open the ADUC console and right-click on the users’ OU;
- Select the item Delegate Control;
- Click Add and select the allowUnlockAccount group. Click Next;
- Select Create a custom task to delegate > Only the following objects in the folder > User objects;
- Select Property-specific and check two permissions in the list: Read lockoutTime and Write lockoutTime;
- Save your changes.
Users in the allowUnlockAccount group can now unlock accounts from the selected OU using the ADUC mmc snap-in or the Unlock-ADAccount PowerShell cmdlet.
To get information about who unlocked a user, you need to enable the Audit User Account Management policy for domain controllers (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management).
After updating the GPO, you can filter the Security Log by the Event ID 4767 (A user account was unlocked) to identify the user who unlocked the AD account.
3 comments
How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)
There are many ways
Love the Document, but there is a type under the heading “Account Lockout Policy” you incorrectly used the word “licking” instead of “locking”
Comments are closed.