The account locking system in Active Directory is a security feature. There are several conditions built into the Active Directory system that will automatically lock an account. Most of these relate to passwords. Your security policy will add on other conditions that create lockouts and orchestration from intrusion detection systems (IDSs) can also lock accounts.
Fortunately, the Administrator account never gets locked – if it did you would completely lose control of your AD domain controller. So, you will always have the administrator system to get the users back to their accounts.
You can unlock an account individually, or manually. It is also possible to automate that unlocking process through a PowerShell script or through an administrative tool that is external to the Active Directory environment.
Unlock a user account in Active Directory manually
Although this guide is all about automated solutions to unlocking user accounts in AD, we will look at the manual process first – just to show you that it is possible. Follow these steps:
- Log into AD and go to Users and Computers.
- Find the account you want to unlock and right-click while the mouse pointer is over that record.
- Select Properties from the pop-up menu.
- In the Properties screen, select the Account tab.
- About halfway down the window, you will see a checkbox, labeled “Unlock account. This account is currently locked out on this Active Directory Controller”. Click it to check the box.
- Click on Apply and then click on OK to close the Properties window.
Unlock a user account in Active Directory using PowerShell
The first automated solution to unlocking an account automatically in AD is to go to the operating system and use PowerShell. You can use this system to unlock a single user account or all locked accounts in a domain.
Unlock a single user account with PowerShell
Here’s what to do to unlock one account in AD using PowerShell:
- Type powershell into the Start search field. You will be presented with the PowerShell app.
- Click on Run as Administrator.
With the PowerShell environment open, you can investigate whether an account is locked with the following code:
Get-ADUser -Identity
Replace
To unlock that single account use:
Unlock-ADAccount -Identity
Again, replace
Unlock all locked user accounts in a domain with PowerShell
Open up the PowerShell interface as described in the previous section to investigate locked accounts and also to unlock them in bulk.
To see which accounts in a domain are locked, use:
Search-ADAccount -lockedout | Select-Object Name, SamAccountName
To unlock all of the accounts in the domain, use the following code:
Search-ADAccount -Lockedout | Unlock-AdAccount
It could be that something happened to lock several suspicious accounts and after investigation, you decided that some were dodgy but others were misidentified as dangerous and should be unlocked. In this case, Unlocking all locked accounts would let the threat back in. So, you could just go through the legit user accounts and unlock them one by one or you could use the following command:
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
When this command runs, it will ask you to confirm the unlocking of each locked account, you can decide to leave one or two in the list locked if you want. Preventing the command from unlocking one account does not terminate processing, it will move on to offer you a choice over unlocking the next encountered locked account.
The options that the command gives you over whether to unlock each locked account are:
- Yes
- Yes to All
- No
- No to All
- Suspend
So, you can choose whether to abandon the job at any time. If you do, the command doesn’t roll back, which means that the accounts you unlocked up to that point will remain available for the users.
Automated Active Directory management tools
The Active Directory interface is a little clunky. Although most regular users get used to the front-ends quirks, there are a lot of AD management tools available that make administering the system a lot easier and they have much better consoles.
It can take a lot of time to research the market and identify some good candidate systems, so we have produced a shortlist of the best systems available today.
Here is our list of the five best automated user account unlocking tools for Active Directory:
- Dameware Remote Support (FREE TRIAL) A support team package that includes an account unlocking utility. Get a fully functional 14-day free trial.
- ManageEngine ADSelfService Plus (FREE TRIAL) A package that is centered on a portal that allows users to reset their accounts and there is also an automated unlock tool for technicians. It runs on Windows Server. Start a 30-day free trial.
- ManageEngine ADAudit Plus (FREE TRIAL) This software package provides file integrity monitoring and protection for AD objects, with a lockout analyzer among its tools. Runs on Windows Server, Azure, and AWS. Start a 30-day free trial.
- Netwrix Account Lockout Examiner A free package that identifies locked accounts, explains the reason for the locks and allows the unlocking of each account. It runs on Windows and Windows Server.
- AD Pro Toolkit An unlocking service that is part of a bundle of system administration tools and offers details on each lock. It runs on Windows and Windows Server.
- WiseDATAman Password Control A small free utility that provides powerful user account administration services. It is available for Windows and Windows Server.
Please note that it isn’t a good idea to automate the unlocking of user accounts on a trigger so that any account that gets locked will instantly be unlocked. The locking mechanism is a security feature and if you have a defense tool with automated threat remediation, that service will have locked those accounts for a reason. It is better to leave accounts locked while you investigate the reason.
Using this set of criteria, we looked for a range of AD management packages that include dedicated unlocking utilities.
What should you look for in an automated account unlock tool for Active Directory?
We reviewed the market for account unlocking tools and analyzed the options based on the following criteria:
- A choice of quick unlocking utilities and full AD management systems.
- An easy-to-use attractive interface.
- A tool that gives the choice to unlock individual accounts, many, or all.
- A system that can perform other Active directory management tasks with automation.
- A system that is easy to install.
- A free tool or a service that offers a free trial or a demo.
- A tool that will save you time and money, delivering value.
1. Dameware Remote Support (FREE TRIAL)
Dameware Remote Support is an extensive package of tools for IT Department support teams and managed services providers. The system includes remote access, remote control, endpoint management, and system monitoring capabilities. It also has an account unlocking utility for Active Directory.
Key Features:
- Endpoint management
- System monitoring
- Active Directory management
The Active Directory management features in the system include a password reset system as well as the account unlocking utility. Thie entire package is a collection of administrator tools that can be used by a remote support team.
Dameware installs on Windows and Windows Server and you can read more about it in our Dameware Review. The system is available for a 14-day free trial.
Pros:
- Access from a mobile app as well as desktops.
- On-premises software.
- Collects many utilities on one screen.
Cons:
- Not available as a cloud platform
Dameware Remote Support Download 14-day FREE Trial
2. ManageEngine ADSelfService Plus (FREE TRIAL)
With ManageEngine ADSelfService Plus, technicians are provided with a tool to unlock accounts and the users are given another method. The self-service portal that comes with this package is designed to reduce lockouts due to password strength by including a guided password creation system.
- Password error prevention
- User controls
- Technician tools
- Unlocking on demand
- Password reset requestor
The self-service portal enables users to reset their passwords and includes a password unlock request service. Account unlocking occurs automatically, without technician intervention. This means that the remaining locks are those imposed by the system because of intruder threats.
The administrator-based unlocking function is perhaps a little risky because it is possible to set up the system to automatically unlock locked accounts. This could undermine the efforts of IPSs to block intruders.
This system is a software package that runs on Windows Server. There is a free version of ManageEngine ADSelfService Plus. That is limited to managing 50 users. You can get a 30-day free trial of either of the two paid editions.
Unlock accounts individually or in bulk.
Automated or on-demand unlocking.
Self-service portal for users.
Password creation guidance.
Cuts down calls to the Help Desk.
No cloud version.
ManageEngine ADSelfService Plus Start 30-day FREE Trial
3. ManageEngine ADAudit Plus (FREE TRIAL)
ManageEngine ADAudit Plus is a package of security tools that implements file integrity monitoring and protection for Active Directory. Among the AD tools in the bundle is the Account Lockout Analyzer. The tool automatically identifies account lockout events and compiles a report for each user account, detailing where and when these events occurred.
- Lists account lockouts per user
- Identifies lockout reasons
- Provides compliance reports
- Identifies most frequently locked out accounts
ADAudit Plus provides auditing for Active Directory in general, not only lockout events. The system also logs all file access events and sorts through those records for compliance auditing. The lockout report is also needed for compliance reporting.
ManageEngine ADAudit Plus is available for Windows Server, AWS, and Azure. There is a Free edition but it doesn’t include the Account Lockout Analyzer and neither does the lower of the two paid accounts, which is called Standard. You need to get the Professional edition and you can get that on a 30-day free trial.
Identifies user account-related risks
Protects the system from insider threats and account takeover
Implements compliance auditing and reporting for GLBA, GDPR, SOX, PCI DSS, and FISMA.
Root cause analysis
Not offered as a SaaS package
ManageEngine ADAudit Plus Start 30-day FREE Trial
4. Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner offers a search facility to identify all locked accounts through its graphical user interface. The details of each user record in the lockout list show the reason for the lock and also the resource that the user has tried to access. The tool also has a search facility, which enables Help Desk staff to enter a username and see that account’s lockout status.
- Free tool
- Identifies all unlocked accounts
- Account search
- Lockout reason
With this system, technicians can also unlock accounts. There isn’t a bulk automated unlock feature. However, that facility can be dangerous, so Netwrix know what they were doing when they left that option out.
The software for Netwrix Account Lockout Examiner installs on Windows and Windows Server. You can install the system on as many endpoints as you like because it is free to use.
Sweep AD for all unlocked accounts.
Query single account statuses.
Identify the reason for the lockout.
Unlock utility.
No bulk unlock feature.
5. AD Pro Toolkit
The AD Pro Toolkit bundle includes 13 tools for administering Active Directory. Among these is the Active Directory User Unlock Tool. this is a useful and straightforward package that allows support staff to unlock an account without needing full access to Active Directory.
- Straightforward, single-use screen
- Displays all accounts
- Search for individual accounts
The tool supports two scenarios: a list of all locked accounts and a username search. The account details screen shows why the account was locked and offers a quick unlocking button. This is a useful feature because it provides enough information to allow the technician to decide whether the lock was valid.
The price for the AD Pro Toolkit starts at $199 for just nine of the 13 tools and $299 for the full bundle. The software runs on Windows and Windows Server.
Advises on lock reasons.
Provides bulk and individual lock search functions.
Uncomplicated layout.
Charged for, but almost identical to the free Netwrix Account Lockout Examiner.
6. WiseDATAman Password Control
WiseDATAman Password Control is a small utility that presents a record searching form and then displays just one matching record. Although this system doesn’t have a bulk locked account listing screen, its compact layout provides a lot of tools in one small space and that includes an option to unlock accounts.
- Small interface
- Single user display
- Unlocks accounts
This tool is a substitute for the Properties window for an account in the Active Directory system. However, it is very useful because it allows a Help Desk technician limited and controlled access to the AD system.
Although this is not an automated tool, it saves the user typing in PowerShell commands and it is free to use. The software runs on Windows and Windows Server.
Provides limited AD access for Help Desk staff.
Single checkbox to unlock an account.
Doesn’t take up much room on the Desktop.
No listing screen to show all unlocked accounts.
