Users are one of the most popular objects in AD. They are used forauthentication and authorization on workstations. Also in many services which are integrated with AD. User management is the main routine for sysadmins and helpdesk specialists. This guide helps to manage such objects in multiple ways. For managing users there is a need to install RSAT tools or manage them from your DC. You have to be signed under domain admin or an Account Operators user or with delegation rights to create objects in the current OU.
How to Find Locked-out User Accounts
User accounts may get locked-out for some reason and you need to troubleshoot the cause of account lockout, but first of all you need to get the list of them. There are several ways to get this list.
Finding Locked User Accounts with the Active Directory Administrative Center
Run Active Directory Administrative Center (dsac.exe). Select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner.
Click on Add criteria and select the “Users with enabled but locked accounts” criteria. Click Add and the locked-out accounts will be displayed.
Finding Locked User Accounts with Windows PowerShell
In order to find locked out accounts in AD, user the following PowerShell script:
Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Format-Table Name,LockedOut -AutoSizeHow to Unlock a User Account
Account lockout in one of the most often cases for sysadmins in organization. Sometimes it is even hard to get its cause so it requires deep investigation. But it is not the point to disable an account lockout policy because it helps to protect your user accounts from brute force attacks. In this guide we will focus on easy techniques to unlock users.
Unlocking User Accounts via Active Directory Administrative Center
To unlock a user object, open the Active Directory Administrative Center (dsac.exe), navigate to the OU or container where users exist in. Right-click the object you want to unlock and select Properties.
In the User window click the Unlock account and then OK.
To unlock all locked-out accounts in a certain OU or container select the OU or container where you want to search for locked out users. Expand the top bar by clicking on an arrow button in the right top corner. Click on Add criteria and select the “Users with enabled but locked accounts criteria.” Click Add and the locked-out accounts will be displayed. Select all accounts, go to Properties and click on Unlock account.
Unlocking User Accounts via Windows PowerShell
To unlock a user account, you need to run the following PowerShell code:
Import-Module ActiveDirectory
Unlock-ADAccount -Identity "CN=User,CN=Users,DC=office,DC=local"And in order to unlock all locked accounts use Search-ADAccount cmdlet:
Import-Module ActiveDirectory
Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccountConclusion
Managing locked-out user accounts is a routine yet critical task for any system administrator working with Active Directory. Lockouts can result from various issues, including password mismatches, cached credentials, or brute-force attempts. Instead of disabling account lockout policies—which are essential for security—admins can use built-in tools like the Active Directory Administrative Center or PowerShell to identify and unlock affected accounts efficiently. By mastering these techniques, you can restore access quickly and minimize user downtime, all while maintaining your domain's security posture.
FAQ
- Q1: Why do user accounts get locked out in Active Directory?
A1: Accounts usually get locked out due to multiple failed login attempts caused by incorrect passwords, cached credentials on other devices, or scheduled tasks running under outdated credentials. - Q2: Can I disable the account lockout policy to prevent user frustration?
A2: Disabling the lockout policy is not recommended as it exposes your network to brute-force attacks. It's better to identify the cause and resolve it while keeping the policy active. - Q3: What permissions do I need to unlock accounts?
A3: You must be a member of Domain Admins, Account Operators, or have delegated permissions to manage user accounts in the target Organizational Unit (OU). - Q4: Is there a way to unlock all locked-out users at once?
A4: Yes. You can use PowerShell with Search-ADAccount -LockedOut | Unlock-ADAccount to unlock all locked accounts in a single command. - Q5: Do I need RSAT to manage users remotely?
A5: Yes. To manage AD users from a client workstation, you need to install the Remote Server Administration Tools (RSAT) and import the ActiveDirectory module in PowerShell.
