A user account in Active Directory is being locked if the password was incorrectly typed several times in a row. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.
The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.
In our Active Directory domain, this policy is configured as follows:
- Account lockout threshold — 30 minutes;
- Account lockout duration — 10 invalid logon attempts;
- Reset account lockout counter after — 10 minutes.
In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.
The domain administrator can prematurely unlock the user’s account so he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).
To unlock a user’s account, find AD user object, open the properties, go to the Account tab, check “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.
However, you can unlock your user account in Active Directory much faster using PowerShell cli.
To do this, you will need to install the Active Directory module for Windows PowerShell.
On Windows Server, you can install it with the command:
Check if the user account is locked. To do this, run the following PowerShell one-liner:
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize
The account is locked (Lockedout=True).
To unlock a user account, you can use the cmdlet:
Unlock-ADAccount bjackson –Confirm
To confirm the unlock of the account press Y, then Enter.
You can also use the following syntax:
Get-ADUser -Identity bjackson | Unlock-ADAccount
Check that this account is now unlocked (Lockedout=True):
Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout
Now the user can log in to the domain computer or server under his account.
You can quickly find all locked user accounts in the domain. Use this PowerShell command:
Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout
To unlock all users found, use the command:
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm