Pricing  Get Quote
 
 

How to unlock Active Directory domain accounts

Users can get locked out of their AD accounts if incorrect passwords are entered a predefined number of times. For those users to regain access to their accounts, an admin will need to unlock them.

While you can unlock accounts individually using the GUI of the Active Directory Users and Computers console, you can't unlock multiple user accounts simultaneously. You can simultaneously unlock multiple locked accounts in a domain using PowerShell, however, this requires scripting knowledge. Alternatively, you can use tools such as ManageEngine ADSelfService Plus to unlock multiple user accounts simultaneously—all without any scripting knowledge required.

The following is a comparison between unlocking Active Directory domain accounts using Windows PowerShell and ADSelfService Plus:

With PowerShell

  • Unlock a single Active Directory user
    The following PowerShell script can be used to unlock an individual AD account using the samAccountName attribute: 
    Unlock-ADAccount -Identity samAccountName
     Copied
  • Unlock all AD users in a domain
    This PowerShell script can be used to unlock all locked-out AD user accounts in the domain: 
    Search-ADAccount -Lockedout | Unlock-AdAccount
     Copied

Unlock users by OU and group membership

You cannot unlock AD accounts by OU or group membership using PowerShell scripts.

With ADSelfService Plus

Steps to enable users to unlock their accounts by themselves

  • Self-service account unlock, i.e., configure account unlock without real-time admin intervention
    • Go to the ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Policy Configuration.
    • Select Account Unlock.
      how-to-unlock-ad-user-account-using-powershell-1
    • Click Select OUs/Groups to granularly select which sets of users need to be provided with self-service account unlock capability.
      how-to-unlock-ad-user-account-using-powershell-2
    • Click Save.

    • Steps to unlock multiple accounts simultaneously (requires admin intervention)

  • Unlock all users in a domain
    • Go to the ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Policy Configuration > Advanced.
      how-to-unlock-ad-user-account-using-powershell-3
    • Check the Automatically unlocks locked-down accounts in your domain box.
    • Click OK.

What are the limitations of Windows PowerShell when unlocking AD accounts?

  • PowerShell can be used to unlock individual AD accounts as well as all the locked accounts on a domain, but there is no support for end users to unlock their locked accounts on their own from their Windows login screen or their mobile phones.
  • Admins cannot use PowerShell to unlock AD accounts based on OU and group memberships.
  • Creating multiple automatic AD account unlock schedulers via PowerShell for different sets of users is a highly laborious process.

Benefits of ADSelfService Plus

  • Cost savings

    Reduces IT expenses by eliminating the top source of help desk tickets, viz., unlocking AD accounts.

  • Improves IT security

    Offers 19 types of advanced multi-factor authentication techniques like biometrics and YubiKey for password self-service.

  • Universal enforcement

    Admins can enforce self-service account unlock for both Active Directory and cloud applications.

  • Improves the user experience

    Eliminates wait time as it allows users to unlock their AD accounts from multiple access points.

Empower users to unlock their Active Directory and cloud accounts

  Get 30-day free trial.

Related Resources

RELATED PRODUCTS

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link