A user account in Active Directory is being locked if the password was incorrectly typed several times in a row. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.
The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
In our Active Directory domain, this policy is configured as follows:
- Account lockout threshold — 30 minutes;
- Account lockout duration — 10 invalid logon attempts;
- Reset account lockout counter after — 10 minutes.
In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.
The domain administrator can prematurely unlock the user’s account so he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).
To unlock a user’s account, find AD user object, open the properties, go to the Account tab, check “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.
However, you can unlock your user account in Active Directory much faster using PowerShell cli.
To do this, you will need to install the Active Directory module for Windows PowerShell.
On Windows Server, you can install it with the command:
Add-WindowsFeature RSAT-AD-Powershell
Check if the user account is locked. To do this, run the following PowerShell one-liner:
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize
The account is locked (Lockedout=True).
To unlock a user account, you can use the cmdlet:
Unlock-ADAccount bjackson –Confirm
To confirm the unlock of the account press Y, then Enter.
You can also use the following syntax:
Get-ADUser -Identity bjackson | Unlock-ADAccount
Check that this account is now unlocked (Lockedout=True):
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout
Now the user can log in to the domain computer or server under his account.
You can quickly find all locked user accounts in the domain. Use this PowerShell command:
Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout
To unlock all users found, use the command:
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
- Using Process Monitor (ProcMon) to Track File and Registry Changes - October 23, 2020
- Fix: Unable to Find a Default Server with Active Directory Web Services Running - October 23, 2020
- How to Fix Windows 10 Flashing Screen? - October 20, 2020
How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)