The user unlock tool finds all locked user accounts with a click of a button. You can then unlock the account, reset the password or display additional details like bad password time, count, lockout time, and the source computer. This tool makes it easy to troubleshoot account lockouts.
- You need to have rights in Active Directory to unlock and reset accounts. If you are a domain administrator then you are good.
- Auditing needs to be enabled to view details on locked accounts. See the enable auditing section
- Tool can be run from a client computer or server
If you want to display additional details on locked accounts like the source computer, you need to make sure auditing is enabled for these events. If you just want to display locked accounts and unlock them then you can ignore this section.
On your Default Domain Controller policy navigate to the following GPO settings:
computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management
Enable success and failure for the “Audit User Account Management” policy.
The required auditing is now turned on and event ID 4740 will be logged in the security event logs when an account is locked out. The user unlock tool will query the domain controller event logs for this event ID to display additional lockout details.
How to Guide
Step 1: Find all locked user accounts (fast method)
There are two options for finding locked accounts
- All locked Users (Fast) – This is what you should use if you just want to quickly find locked users and unlock them
- All locked Users (advanced) – Use this if you want to troubleshoot an account lockout or display additional lockout details. This option requires special permission, helpdesk staff may not have access to run this option.
To display all locked accounts just click the run button
Any locked users will be displayed in the results window. Here you can see I’ve got a locked user “Robert Allen”
Step 2: Unlock a user or multiple users
Just select the user and click unlock. You can unlock multiple users at once, just select the accounts and click unlock.
Step 3: Reset Password
This step is optional
You can also choose to reset a user’s password. Select the user and click the “Reset Password” button
You can manually enter a password or generate a password.
Using the Advanced method
Again to use the advanced method requires special permissions and auditing to be turned on. Make sure you follow the steps in the “Enabling Auditing” section above. This method will query the domain controller logs, typically only members of the domain administrator group have permission to read the domain controller logs. This option also runs a little slower than the “fast” option because it has to find all the domain controllers and search the logs.
Step 1: Select the advanced option and click run.