A user account in Active Directory is being locked if the password was incorrectly typed several times in a row and exceeds the maximum number allowed by the account password policy. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.
Account Lockout Policy
The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
In our Active Directory domain, this policy is configured as follows:
- Account lockout threshold — 30 minutes;
- Account lockout duration — 10 invalid logon attempts;
- Reset account lockout counter after — 10 minutes.
In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.
You can find out user account lockout events in the Security log on a domain controller with FSMO PDC Emulator role. To do this, you need to enable auditing of account lockout events in the GPO Default Domain Controller Policy.
Open the Group Policy Management Console (gpmc.msc), select the Default Domain Controller Policy, and enable the Audit Account Lockout policy (Success and Failure) under the GPO section Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff.
After updating the GPO settings on domain controllers, when an account is locked, the 4740 event appears in the Security log in the Event Viewer:
Log Name: Security
Event ID: 4740
Source: Microsoft Windows security auditing.
Task Category: User Account Management
A user account was locked out
The event contains the locked user account name and the computer from which the lock event occurred. The computer name is specified in the Caller Computer Name field.
You can quickly display the latest lock events for your domain users with computer names using a simple PowerShell one-liner:
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4740} | %{([xml]$_.ToXml()).Event.EventData.Data}
How to Unlock AD User Accounts via ADUC or PowerShell?
The domain administrator can prematurely unlock the user’s account so he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).
To unlock a user’s account, find the user object in the ADUC snap-in, open its properties, go to the Account tab, check the option “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.
However, you can unlock a user account in Active Directory much faster using PowerShell CLI.
To do this, you will need to install the Active Directory module for Windows PowerShell.
On Windows Server, you can install it with the command:
Add-WindowsFeature RSAT-AD-Powershell
Import the RSAT-AD-Powershell module into your session:
Import-module Active Directory
Check if the user account is locked. To do this, run the following PowerShell one-liner:
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize
The account is locked (Lockedout=True).
The user lock time can be viewed in the value of the lockoutTime user attribute:
Get-ADUser D.McAllister -Properties Name,lockoutTime |
Select-Object Name,@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}}
To unlock a user account, you can use the cmdlet:
Unlock-ADAccount bjackson –Confirm
Press Y to confirm the unlock of the account, then Enter.
You can also use the following syntax:
Get-ADUser -Identity bjackson | Unlock-ADAccount
Check if this account is now unlocked (Lockedout=True):
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout
Now the user can log in to the domain computer or server under his account.
You can quickly find all locked user accounts in the domain. Use this PowerShell command:
Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout
To unlock all users found, use the command:
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
How to Delegate Permissions to Unlock Accounts in Active Directory?
You can delegate to non-admin user permissions to unlock AD accounts. To do this:
- Create a new allowUnlockAccount security group in the domain;
- Open the ADUC console and right-click on the users’ OU;
- Select the item Delegate Control;
- Click Add and select the allowUnlockAccount group. Click Next;
- Select Create a custom task to delegate > Only the following objects in the folder > User objects;
- Select Property-specific and check two permissions in the list: Read lockoutTime and Write lockoutTime;
- Save your changes.
Users in the allowUnlockAccount group can now unlock accounts from the selected OU using the ADUC console or the Unlock-ADAccount PowerShell cmdlet.
To get information about who unlocked a user, you need to enable the Audit User Account Management policy for domain controllers (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management).
After updating the GPO, you can filter the Security Log by the Event ID 4767 (A user account was unlocked) to identify the user who unlocked the AD account.
- How to Convert VMDK to VHDX (VMWare to Hyper-V)? - January 23, 2022
- RDP Error: Remote Desktop Can’t Find the Computer - January 20, 2022
- How to Share a Disk Between Multiple VMs on VMWare ESXi? - January 18, 2022
How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)
There are many ways
Love the Document, but there is a type under the heading “Account Lockout Policy” you incorrectly used the word “licking” instead of “locking”