How to check if an AD account is locked out
The Account Lockout Policy in Active Directory Group Policy sets the number of failed sign-in attempts before a user account is locked out. Once the account is locked out, it cannot be used (even with the correct password) until the account lockout duration has passed; or until an administrator manually unlocks the account. That’s where you come in.
The Account Lockout Policy deters cybercriminals performing brute force attacks against Active Directory accounts, but this feature can cause a huge headache on a sysadmin and the IT team when an impatient end-user is looking for a workaround.
Below is an example of what an end-user sees when they’re in the ALP lockout purgatory.
Check AD account lockout status
How can administrators check to see if an Active Directory account is locked out? In ADUC, navigate to the properties of the user, then the Account tab. You will see the following message if an account is locked out:
- Unlock account. This account is currently locked out on this Active Directory Domain Controller.
Administrators can also use PowerShell to query an Active Directory account, and check its status. You can use the following on a domain controller to check the properties of a user account.
Import-Module ActiveDirectory get-aduser -identity testuser -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
Unlocking Active Directory user accounts
The process of unlocking an account is straightforward. By default, there are two ways an account can unlock. This includes either administrator intervention, or waiting for the account lockout duration to expire.
An administrator can unlock the user account by either using the ADUC GUI, or PowerShell. Let’s briefly look at both ways.
Using the ADUC snap-in, an administrator can place a check in the box next to the Unlock account. This account is currently locked out on this Active Directory Domain Controller checkbox.
This is easily accomplished using PowerShell as well. Administrators can use the following PowerShell cmdlet.
Self-service account unlocks
With many organizations supporting remote employees, self-service workflows for end-users are hugely beneficial. Self-service solutions save IT time and money by reducing help desk tickets and prompt users to take ownership over their own password security and updates. Remote work as of late can increase the cached credential problem which means more lockouts and more helpdesk calls. Reliable self-service options will reduce this burden on your helpdesk.
Specops uReset is one great self-service option that allows end-users to perform everyday tasks related to password and account management in Active Directory.
Specops uReset is a self-service solution enables users to securely reset their Active Directory passwords. End-users can initiate the password reset process from any browser, their mobile device, or right from the Windows logon screen on their workstations. Specops uReset can notify an end-user when they’re locked out and help unlock the account without a manual admin fix, saving you a ton of time and tickets. With a self-service solution like Specops uReset you don’t have to identify or solve a locked account, the user can do it themselves.
Security features like multi-factor authentication and geo-blocking ensure that Specops uReset password reset solution is consistent with the high level of security you’d expect in your admin systems.
(Last updated on June 8, 2021)