How to Unlock User Account in Active Directory Domain?

A user account in Active Directory is being locked if the password was incorrectly typed several times in a row. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.

The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.

In our Active Directory domain, this policy is configured as follows:

active directory unlock account

  • Account lockout threshold — 30 minutes;
  • Account lockout duration — 10 invalid logon attempts;
  • Reset account lockout counter after — 10 minutes.

In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.

The domain administrator can prematurely unlock the user’s account so he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).

READ ALSO  Import Users Into Active Directory From CSV

To unlock a user’s account, find AD user object, open the properties, go to the Account tab, check “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.

unlock account active directory

However, you can unlock your user account in Active Directory much faster using PowerShell cli.
To do this, you will need to install the Active Directory module for Windows PowerShell.

On Windows Server, you can install it with the command:

Add-WindowsFeature RSAT-AD-Powershell

Check if the user account is locked. To do this, run the following PowerShell one-liner:

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize

The account is locked (Lockedout=True).

ad unlock account

To unlock a user account, you can use the cmdlet:

Unlock-ADAccount bjackson –Confirm

To confirm the unlock of the account press Y, then Enter.

You can also use the following syntax:

Get-ADUser -Identity bjackson | Unlock-ADAccount

unlock ad account

Check that this account is now unlocked (Lockedout=True):

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout

how to unlock account in active directory

Now the user can log in to the domain computer or server under his account.

You can quickly find all locked user accounts in the domain. Use this PowerShell command:

Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout

unlock account. this account is currently locked out on this active directory domain controller

To unlock all users found, use the command:

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
Cyril Kardashevsky
READ ALSO  Active Directory Temporary Group Membership on Windows Server 2016

One comment

  1. How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.