Users are among the most common and critical objects in Active Directory (AD). They serve as the foundation for authentication and authorization on workstations, as well as in numerous services integrated with AD.
Effective user management is a core responsibility for system administrators and helpdesk specialists alike. This guide provides comprehensive methods to manage user accounts efficiently.
To manage users, you need to install the Remote Server Administration Tools (RSAT) or perform management directly from your Domain Controller (DC). Additionally, you must be logged in with domain administrator privileges, be a member of the Account Operators group, or have delegated rights to create and modify objects within the targeted Organizational Unit (OU).
How to Find Locked-out User Accounts
User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.
Finding Locked User Accounts with the Active Directory Administrative Center
Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.
Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.
Finding Locked User Accounts with Windows PowerShell
In order to find locked out accounts in AD, user the following PowerShell script:
Search-ADAccount -LockedOut -UsersOnly | Format-Table Name,LockedOut -AutoSize
How to Unlock a User Account
Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.
Unlocking User Accounts via Active Directory Administrative Center
To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.
In the User window click the Unlock account and then OK.
To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.
Unlocking User Accounts via Windows PowerShell
To unlock a user account, you need to run the following PowerShell code:
Unlock-ADAccount -Identity "CN=User,CN=Users,DC=office,DC=local"
And in order to unlock all locked accounts use Search-ADAccount cmdlet:
Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccount
Conclusion
Managing user accounts is a fundamental task in Active Directory administration, crucial for maintaining security and operational efficiency. Understanding how to find and unlock locked-out accounts helps system administrators quickly resolve access issues without compromising security policies. Using built-in tools like the Active Directory Administrative Center and PowerShell commands enables efficient user management across your network. Remember, account lockout policies are important to protect against unauthorized access and brute-force attacks, so focus on timely troubleshooting and unlocking rather than disabling these safeguards. Mastery of these techniques ensures smooth user access and strengthens your organization’s security posture.
FAQ
- Q1: Why do user accounts get locked out in Active Directory?
A: Accounts can get locked out due to multiple failed login attempts, password expiration, or security policy triggers designed to prevent unauthorized access. - Q2: Can I disable the account lockout policy to avoid lockouts?
A: It is not recommended to disable account lockout policies, as they provide essential protection against brute-force attacks and unauthorized access attempts. - Q3: What permissions do I need to unlock user accounts in Active Directory?
A: You need to be logged in as a domain administrator, a member of the Account Operators group, or have delegated rights to unlock accounts within the relevant Organizational Unit. - Q4: How can I find all locked-out user accounts in a specific OU?
A: Use the Active Directory Administrative Center’s filter criteria "Users with enabled but locked accounts," or run the PowerShell command Search-ADAccount -LockedOut -UsersOnly specifying the OU scope. - Q5: Can I unlock multiple user accounts at once?
A: Yes, you can unlock multiple accounts simultaneously using the Active Directory Administrative Center by selecting all locked accounts or via PowerShell by piping Search-ADAccount -LockedOut -UsersOnly to Unlock-ADAccount.