Printout Header
RSS Feed

How to unlock Active Directory User Accounts

On this page you learn how to unlock Active Directory user accounts which was locked by the intruder account detection. In the admin utility 'AD Users and Computers' a locked user can be identified only by opening the 'Account' tab of the regarding user account:

AUC: Locked User Account

An intruder account lockout is triggered by the system if and only if the number of failed logon attempts outranges the threshold which was set in the regarding group policies. In Windows 2000 - 2008 environments, you can set these thresholds in the Account Policies of the Default Domain Policy:

Account Lockout Policy

A lock can only triggered by the system itself - please don't mix this up with the normal disable/enable operation for user accounts. You can search in the directory for locked accounts. As this is quite complicated, there is a dedicated article in the SelfADSI tutorial: 'Searching for locked accounts'.

The msDS-User-Account-Control-Computed attribute

To unlock a locked account isn't trivial either. Although there is the attribute msDS-User-Account-Control-Computed since Windows 2003, which shows as a bit field in it's flag UF_LOCKOUT (16) a locked account directly, it is an constructed attribute. Therefore you cannot use this attribute in LDAP filters for a search operation - and you cannot write this attribute to release the lock. All you can do with msDs-User-Account-Control is evaluating the lock status for a single user if you are reading the user attributes.

Unlock with the attribute lockoutTime

The easiest unlock method is based on the lockoutTime attribute and works for all Active Directory versions since Windows 2000: The attribute lockoutTime holds the date and time of the account lock event - but the value is stored in the complex format of a Microsoft DateTime Interval timestamp (64-Bit Long 'Integer8': 100-nanosecond steps since 01/01/1600). Fortunately, we don't have to calculate a certain value in order to unlock the regarding account: It's enough to write a Null value into the lockoutTime attribute:

Set user = GetObject("LDAP://cn=sandra,ou=user,dc=cerrotorre,dc=de") user.lockoutTime = 0 user.SetInfo

Unlock with IsAccountLocked

The more circumstantial approach....

According to unlocking an account which was locked by the intruder detection, often the following (more complicated) technique is cited: You connect to the regarding user object not with the normal LDAP ADSI Provider, but with the 'old' WINNT provider interface which was originally designed for the management of Windows NT domain objects. Here you have a special API Object Property called IsAccountLocked. In fact this property can only be used as a read/write value only if you connect to the object with the WINNT provider. The normal LDAP provider cannot write to this property:

Set user = GetObject("WinNT://CERROTORRE/Sandra) 'Syntax=> WinNT://Domäne/Benutzer user.IsAccountLocked = FALSE user.SetInfo

You can read more about this in the detailed information of Microsoft KnowledgeBase Article Q250873.