This website uses cookies to ensure you get the best experience on our website. Learn more
How to check if an AD account is locked out
The Account Lockout Policy in Active Directory Group Policy sets the number of failed sign-in attempts before a user account is locked out. This can be checked with the AD account lockout status. Once the account is locked out, it cannot be used (even with the correct password) until the account lockout duration has passed; or until an administrator manually unlocks the account. That’s where you come in.
The Account Lockout Policy deters cybercriminals performing brute force attacks against Active Directory accounts, but this feature can cause a huge headache on a sysadmin and the IT team when an impatient end user is looking for a workaround.
Below is an example of what an end-user sees when they’re in the ALP lockout purgatory.
Check AD account lockout status
How can administrators check if an Active Directory account is locked out? In ADUC, navigate to the properties of the user, then the Account tab. You will see the following message if an account is locked out:
- Unlock account. This account is currently locked out on this Active Directory Domain Controller.
Administrators can also use PowerShell to query an Active Directory account, and check its status. You can use the following on a domain controller to check the properties of a user account.
Import-Module ActiveDirectory
get-aduser -identity testuser -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
Unlocking Active Directory user accounts
A full guide on how to unlock active directory account lockouts can be found in our specific blog article about this topic.
Quick guidance:
The process of unlocking an account is straightforward. By default, there are two ways an account can unlock. This includes either administrator intervention, or waiting for the account lockout duration to expire.
An administrator can unlock the user account by either using the ADUC GUI, or PowerShell. Let’s briefly look at both ways.
Using the ADUC snap-in, an administrator can place a check in the box next to the Unlock account. This account is currently locked out on this Active Directory Domain Controller checkbox.
This is easily accomplished using PowerShell as well. Administrators can use the following PowerShell cmdlet.
Unlock-ADAccount <username>
Self-service account unlocks
With many organizations supporting remote employees, self-service workflows for end-users are hugely beneficial. Self-service solutions save IT time and money by reducing help desk tickets and prompt users to take ownership over their own password security and updates. Higher numbers of remote workers can increase the cached credential problem which means more lockouts and more helpdesk calls. Reliable self-service options will reduce this burden on your helpdesk.
Resetting passwords can be a hassle for both end users and IT teams. Specops uReset is one great self-service option that allows end users to perform everyday tasks related to password and account management in Active Directory. This also saves IT team and service desk time, which could be better spent elsewhere. Research has shown that the average organization saved an average of $65K in 2023 by switching to self-service password resets.
The fastest way from a locked AD account status to a successful login
Specops uReset is a self-service solution enables users to securely reset their Active Directory passwords. End-users can initiate the password reset process from any browser, their mobile device, or right from the Windows logon screen on their workstations. Specops uReset checks if an AD account is locked and notifies an end-user when they’re locked out. Furthermore, it helps to unlock the account without a manual admin fix, saving you a ton of time and tickets. With a self-service solution like Specops uReset you don’t have to identify or solve a locked account, the user can do it themselves.
Security features like multi-factor authentication and geo-blocking ensure that Specops uReset password reset solution is consistent with the high level of security you’d expect in your admin systems.
You can learn more about Specops uReset, and try it for free.
(Last updated on November 6, 2024)
Related Articles
-
How to unlock active directory account lockouts
There is no question that one of the most common tasks that helpdesk and IT admins carry out on a daily basis is user account management. Specifically, triaging user account issues like unlocking active directory accounts in an Active Directory domain environment takes a tremendous amount of time in across most environments. Now that a…
Read More -
Password reset best practices for self-service
Security is an essential part of almost everything we do with technology today. We unlock devices, sign in to websites, and routinely find ourselves verifying our identity, whether we’re online for work, or personal time. In a business setting, routine requests for password resets place a burden on the IT help desk. It’s estimated that…
Read More -
How to reset passwords & update the local cached credentials for remote users
Need to manage password expirations for remote users? Here’s how you can reset passwords for remote users, and update their locally cached credentials.
Read More