How to check if an AD account is locked out

The Account Lockout Policy in Active Directory Group Policy sets the number of failed sign-in attempts before a user account is locked out. This can be checked with the AD account lockout status. Once the account is locked out, it cannot be used (even with the correct password) until the account lockout duration has passed; or until an administrator manually unlocks the account. That’s where you come in.

The Account Lockout Policy deters cybercriminals performing brute force attacks against Active Directory accounts, but this feature can cause a huge headache on a sysadmin and the IT team when an impatient end user is looking for a workaround.

Reduce calls to the service desk with Specops uReset

Below is an example of what an end-user sees when they’re in the ALP lockout purgatory. 

testuser screen with a message stating "the referenced account is currently locked out and may not be logged on to". There is an okay button for an end user to click.

Check AD account lockout status

How can administrators check if an Active Directory account is locked out? In ADUC, navigate to the properties of the user, then the Account tab. You will see the following message if an account is locked out:

  • Unlock account. This account is currently locked out on this Active Directory Domain Controller.
Screenshot of an active directory backend or ADUC, showing properties of the user and account tab. There is an arrow to a toggle that says "Unlock account. This account is currently locked out on this Active Directory Domain Controller."

Administrators can also use PowerShell to query an Active Directory account, and check its status. You can use the following on a domain controller to check the properties of a user account.

Import-Module ActiveDirectory

get-aduser -identity testuser -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
screenshot of the import-module activedirectory

Unlocking Active Directory user accounts

A full guide on how to unlock active directory account lockouts can be found in our specific blog article about this topic.

Quick guidance:

The process of unlocking an account is straightforward. By default, there are two ways an account can unlock. This includes either administrator intervention, or waiting for the account lockout duration to expire.

An administrator can unlock the user account by either using the ADUC GUI, or PowerShell. Let’s briefly look at both ways.

Using the ADUC snap-in, an administrator can place a check in the box next to the Unlock account. This account is currently locked out on this Active Directory Domain Controller checkbox.

This is easily accomplished using PowerShell as well. Administrators can use the following PowerShell cmdlet.

Unlock-ADAccount <username>
screenshot of the ADUC snap-in

Self-service account unlocks

With many organizations supporting remote employees, self-service workflows for end-users are hugely beneficial. Self-service solutions save IT time and money by reducing help desk tickets and prompt users to take ownership over their own password security and updates. Higher numbers of remote workers can increase the cached credential problem which means more lockouts and more helpdesk calls. Reliable self-service options will reduce this burden on your helpdesk. 

Resetting passwords can be a hassle for both end users and IT teams. Specops uReset is one great self-service option that allows end users to perform everyday tasks related to password and account management in Active Directory. This also saves IT team and service desk time, which could be better spent elsewhere. Research has shown that the average organization saved an average of $65K in 2023 by switching to self-service password resets.

The fastest way from a locked AD account status to a successful login

Specops uReset is a self-service solution enables users to securely reset their Active Directory passwords. End-users can initiate the password reset process from any browser, their mobile device, or right from the Windows logon screen on their workstations. Specops uReset checks if an AD account is locked and notifies an end-user when they’re locked out. Furthermore, it helps to unlock the account without a manual admin fix, saving you a ton of time and tickets. With a self-service solution like Specops uReset you don’t have to identify or solve a locked account, the user can do it themselves.

Security features like multi-factor authentication and geo-blocking ensure that Specops uReset password reset solution is consistent with the high level of security you’d expect in your admin systems.  

You can learn more about Specops uReset, and try it for free.

(Last updated on November 6, 2024)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles

  • How to unlock active directory account lockouts

    There is no question that one of the most common tasks that helpdesk and IT admins carry out on a daily basis is user account management.  Specifically, triaging user account issues like unlocking active directory accounts in an Active Directory domain environment takes a tremendous amount of time in across most environments.  Now that a…

    Read More
  • Password reset best practices for self-service

    Security is an essential part of almost everything we do with technology today. We unlock devices, sign in to websites, and routinely find ourselves verifying our identity, whether we’re online for work, or personal time. In a business setting, routine requests for password resets place a burden on the IT help desk. It’s estimated that…

    Read More
  • How to reset passwords & update the local cached credentials for remote users

    Need to manage password expirations for remote users? Here’s how you can reset passwords for remote users, and update their locally cached credentials.

    Read More