11.12.2024

How to Manage User Accounts in Active Directory. Part 4: Finding Locked-out Accounts and Unlocking them.

Users are one of the most popular objects in AD. They are used forauthentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.

How to Find Locked-out User Accounts

User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.

Finding Locked User Accounts with the Active Directory Administrative Center

Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.

Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.

Finding Locked User Accounts with Windows PowerShell

In order to find locked out accounts in AD, user the following PowerShell script:

Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Format-Table Name,LockedOut -AutoSize

How to Unlock a User Account

Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.

Unlocking User Accounts via Active Directory Administrative Center

To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.

In the User window click the Unlock account and then OK.

To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.

Unlocking User Accounts via Windows PowerShell

To unlock a user account, you need to run the following PowerShell code:

Import-Module ActiveDirectory
Unlock-ADAccount -Identity "CN=User,CN=Users,DC=office,DC=local"

And in order to unlock all locked accounts use Search-ADAccount cmdlet:

Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccount