How to Unlock User Account in Active Directory Domain?

A user account in Active Directory is being locked if the password was incorrectly typed several times in a row and exceeds the maximum number allowed by the account password policy. In this article, we will show you how to find and unlock the AD account of one user or all locked AD domain users at once.

Account Lockout Policy

The threshold value for the number of attempts to enter the wrong password and the account licking time is defined in the Default Domain Policy in the GPO section Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.

In our Active Directory domain, this policy is configured as follows:

active directory unlock account

  • Account lockout threshold — 30 minutes;
  • Account lockout duration — 10 invalid logon attempts;
  • Reset account lockout counter after — 10 minutes.

In our case, after 10 attempts to input the wrong password, the user account is locked for 30 minutes. At this time, the user cannot log in to the domain under an account with the error “1909: The referenced account is currently locked out and may not be logged on to”.

You can find out user account lockout events in the Security log on a domain controller with FSMO PDC Emulator role. To do this, you need to enable auditing of account lockout events in the GPO Default Domain Controller Policy.

Open the Group Policy Management Console (gpmc.msc), select the Default Domain Controller Policy, and enable the Audit Account Lockout policy (Success and Failure) under the GPO section Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff.

unlock account active directory

After updating the GPO settings on domain controllers, when an account is locked, the 4740 event appears in the Security log in the Event Viewer:

Log Name: Security

Event ID: 4740

Source: Microsoft Windows security auditing.

Task Category: User Account Management

A user account was locked out

The event contains the locked user account name and the computer from which the lock event occurred. The computer name is specified in the Caller Computer Name field.

ad unlock account

You can quickly display the latest lock events for your domain users with computer names using a simple PowerShell one-liner:

Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4740} | %{([xml]$_.ToXml()).Event.EventData.Data}

unlock ad account

How to Unlock AD User Accounts via ADUC or PowerShell?

The domain administrator can prematurely unlock the user’s account so he won’t need to wait 30 minutes. You can unlock a user account using the Active Directory Users and Computers console (ADUC).

To unlock a user’s account, find the user object in the ADUC snap-in, open its properties, go to the Account tab, check the option “Unlock account. This account is currently locked out on this Active Directory Domain Controller” and press OK.

unlock account. this account is currently locked out on this active directory domain controller

However, you can unlock a user account in Active Directory much faster using PowerShell CLI.
To do this, you will need to install the Active Directory module for Windows PowerShell.

On Windows Server, you can install it with the command:

Add-WindowsFeature RSAT-AD-Powershell

Import the RSAT-AD-Powershell module into your session:

Import-module Active Directory

Check if the user account is locked. To do this, run the following PowerShell one-liner:

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize

The account is locked (Lockedout=True).

this account is currently locked out on this domain controller

The user lock time can be viewed in the value of the lockoutTime user attribute:

Get-ADUser D.McAllister -Properties Name,lockoutTime |

Select-Object Name,@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}}

this account is currently locked out on this active directory domain controller

To unlock a user account, you can use the cmdlet:

Unlock-ADAccount bjackson –Confirm

Press Y to confirm the unlock of the account, then Enter.

You can also use the following syntax:

Get-ADUser -Identity bjackson | Unlock-ADAccount

how to unlock account in active directory

Check if this account is now unlocked (Lockedout=True):

Get-ADUser -Identity bjackson -Properties LockedOut | Select-Object samaccountName,Lockedout

how to unlock ad account

Now the user can log in to the domain computer or server under his account.

You can quickly find all locked user accounts in the domain. Use this PowerShell command:

Search-ADAccount -lockedout | Select-Object SamAccountName, LastLogonDate, Lockedout

how to unlock an account in active directory

To unlock all users found, use the command:

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm

How to Delegate Permissions to Unlock Accounts in Active Directory?

You can delegate to non-admin user permissions to unlock AD accounts. To do this:

  1. Create a new allowUnlockAccount security group in the domain;
  2. Open the ADUC console and right-click on the users’ OU;
  3. Select the item Delegate Control;
    unlock account ad
  4. Click Add and select the allowUnlockAccount group. Click Next;
  5. Select Create a custom task to delegate > Only the following objects in the folder > User objects;
    unlock account in active directory
  6. Select Property-specific and check two permissions in the list: Read lockoutTime and Write lockoutTime;
    how to unlock user account in active directory
  7. Save your changes.

Users in the allowUnlockAccount group can now unlock accounts from the selected OU using the ADUC console or the Unlock-ADAccount PowerShell cmdlet.

To get information about who unlocked a user, you need to enable the Audit User Account Management policy for domain controllers (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management).

After updating the GPO, you can filter the Security Log by the Event ID 4767 (A user account was unlocked) to identify the user who unlocked the AD account.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

2 comments

  1. How would you know the root cause of the block? or How do you know which computer, task or whatever it is, is blocking the account? (powershell)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.