How to unlock Active Directory domain accounts
Users can get locked out of their AD accounts if incorrect passwords are entered a predefined number of times. For those users to regain access to their accounts, an admin will need to unlock them.
While you can unlock accounts individually using the GUI of the Active Directory Users and Computers console, you can't unlock multiple user accounts simultaneously. You can simultaneously unlock multiple locked accounts in a domain using PowerShell, however, this requires scripting knowledge. Alternatively, you can use tools such as ManageEngine ADSelfService Plus to unlock multiple user accounts simultaneously—all without any scripting knowledge required.
The following is a comparison between unlocking Active Directory domain accounts using Windows PowerShell and ADSelfService Plus:
With PowerShell
- Unlock a single Active Directory user
The following PowerShell script can be used to unlock an individual AD account using the samAccountName attribute:Unlock-ADAccount -Identity samAccountName
Copied - Unlock all AD users in a domain
This PowerShell script can be used to unlock all locked-out AD user accounts in the domain:Search-ADAccount -Lockedout | Unlock-AdAccount
Copied
Unlock users by OU and group membership
You cannot unlock AD accounts by OU or group membership using PowerShell scripts.
With ADSelfService Plus
Steps to enable users to unlock their accounts by themselves
- Self-service account unlock, i.e., configure account unlock without real-time admin intervention
- Go to the ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Policy Configuration.
- Select Account Unlock.
- Click Select OUs/Groups to granularly select which sets of users need to be provided with self-service account unlock capability.
- Click Save.
- Unlock all users in a domain
- Go to the ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Policy Configuration > Advanced.
- Check the Automatically unlocks locked-down accounts in your domain box.
- Click OK.
Steps to unlock multiple accounts simultaneously (requires admin intervention)
What are the limitations of Windows PowerShell when unlocking AD accounts?
- PowerShell can be used to unlock individual AD accounts as well as all the locked accounts on a domain, but there is no support for end users to unlock their locked accounts on their own from their Windows login screen or their mobile phones.
- Admins cannot use PowerShell to unlock AD accounts based on OU and group memberships.
- Creating multiple automatic AD account unlock schedulers via PowerShell for different sets of users is a highly laborious process.
Benefits of ADSelfService Plus
- Cost savings
Reduces IT expenses by eliminating the top source of help desk tickets, viz., unlocking AD accounts.
- Improves IT security
Offers 19 types of advanced multi-factor authentication techniques like biometrics and YubiKey for password self-service.
- Universal enforcement
Admins can enforce self-service account unlock for both Active Directory and cloud applications.
- Improves the user experience
Eliminates wait time as it allows users to unlock their AD accounts from multiple access points.