Unlock User Account in Active Directory Domain

How to Unlock User Account in Active Directory Domain?


A user account in Active Directory is locked if a user incorrectly typed the password several times in a row. In this article, we will show you how to find and unlock an account of one user or all locked AD domain users at once.

The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section

Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.

In our Active Directory domain, this policy is configured as follows:

ad account lockout

  • Account lockout threshold – 30 minutes;
  • Account lockout duration – 10 invalid logon attempts;
  • Reset account lockout counter after – 10 minutes.

In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot login to the domain under account with the error “1909: The referenced account is currently locked out and may not be logged on to”.

The domain administrator can prematurely unlock the user account so that he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).

To unlock a user’s account, find AD user object, open the properties, go to the Account tab, check “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.

active directory account lockout

However, you can unlock your user account in Active Directory much faster using PowerShell cli.
To do this, you will need to install the module Active Directory module for Windows PowerShell.

On Windows Server, you can install it with the command:

Add-WindowsFeature RSAT-AD-Powershell

Check that the user account is locked. To do this, run the following PowerShell one-liner:

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize

The account is locked (Lockedout=True).

this account is currently locked out on this domain controller

To unlock a user account, you can use the cmdlet:

Unlock-ADAccount bjackson –Confirm

To confirm unlock account press Y, then Enter.

You can also use the following syntax:

Get-ADUser -Identity bjackson | Unlock-ADAccount

active directory user locked out

Check that this account is now unlocked (Lockedout=True):

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout

powershell get locked out users

Now the user can login to the domain computer or server under his account.

You can quickly find all locked user accounts in the domain. Use this PowerShell command:

Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout

powershell ad account locked out

To unlock all users found, use the command:

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
How to Install and Import PowerShell Active Direct... Today we'll show you how to install and use the Windows PowerShell Active Directory Module. You can use the cmdlets of this module to retrieve informa...

Add Your Comment