User Unlock Tool
The user unlock tool finds all locked user accounts with a click of a button. You can then unlock the account, reset the password or display additional details like bad password time, count, lockout time, and the source computer. This tool makes it easy to troubleshoot account lockouts.
- You need to have rights in Active Directory to unlock and reset accounts. If you are a domain administrator then you are good.
- Auditing needs to be enabled to view details on locked accounts. See the enable auditing section
- Tool can be run from a client computer or server
If you want to display additional details on locked accounts like the source computer, you need to make sure auditing is enabled for these events. If you just want to display locked accounts and unlock them then you can ignore this section.
On your Default Domain Controller policy navigate to the following GPO settings:
computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management
Enable success and failure for the “Audit User Account Management” policy.
Next enable the folloing:
computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon
Enable Success and Failure for “Audit Kerberos Authentication Service.”
The required auditing is now turned on and event ID 4740 will be logged in the security event logs when an account is locked out. The user unlock tool will query the domain controller event logs for this event ID to display additional lockout details.
This video demonstrates how to use the unlock tool.