How to Automate Account Unlocks for Active Directory Users

The account locking system in Active Directory is a security feature. There are several conditions built into the Active Directory system that will automatically lock an account. Most of these relate to passwords. Your security policy will add on other conditions that create lockouts and orchestration from intrusion detection systems (IDSs) can also lock accounts.

Fortunately, the Administrator account never gets locked – if it did you would completely lose control of your AD domain controller. So, you will always have the administrator system to get the users back to their accounts.

You can unlock an account individually, or manually. It is also possible to automate that unlocking process through a PowerShell script or through an administrative tool that is external to the Active Directory environment.

Unlock a user account in Active Directory manually

Although this guide is all about automated solutions to unlocking user accounts in AD, we will look at the manual process first – just to show you that it is possible. Follow these steps:

1. Log into AD and go to Users and Computers.
2. Find the account you want to unlock and right-click while the mouse pointer is over that record.
3. Select Properties from the pop-up menu.
4. In the Properties screen, select the Account tab.
5. About halfway down the window, you will see a checkbox, labeled “Unlock account. This account is currently locked out on this Active Directory Controller”. Click it to check the box.
6. Click on Apply and then click on OK to close the Properties window.

Unlock a user account in Active Directory using PowerShell

The first automated solution to unlocking an account automatically in AD is to go to the operating system and use PowerShell. You can use this system to unlock a single user account or all locked accounts in a domain.

Unlock a single user account with PowerShell

Here’s what to do to unlock one account in AD using PowerShell:

1. Type powershell into the Start search field. You will be presented with the PowerShell app.
2. Click on Run as Administrator.

With the PowerShell environment open, you can investigate whether an account is locked with the following code:

Get-ADUser -Identity <username> -Properties LockedOut | Select-Object SamAccountName,Lockedout| ft -AutoSize

Replace <username> (including the angle brackets) in that sample with the actual username. The output will show two columns, the second being LockedOut. If the value in this column reads True, the account is locked.

To unlock that single account use:

Unlock-ADAccount -Identity <username>

Again, replace <username> with the actual username.

Unlock all locked user accounts in a domain with PowerShell

Open up the PowerShell interface as described in the previous section to investigate locked accounts and also to unlock them in bulk.

To see which accounts in a domain are locked, use:

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

To unlock all of the accounts in the domain, use the following code:

Search-ADAccount -Lockedout | Unlock-AdAccount

It could be that something happened to lock several suspicious accounts and after investigation, you decided that some were dodgy but others were misidentified as dangerous and should be unlocked. In this case, Unlocking all locked accounts would let the threat back in. So, you could just go through the legit user accounts and unlock them one by one or you could use the following command:

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm

When this command runs, it will ask you to confirm the unlocking of each locked account, you can decide to leave one or two in the list locked if you want. Preventing the command from unlocking one account does not terminate processing, it will move on to offer you a choice over unlocking the next encountered locked account.

The options that the command gives you over whether to unlock each locked account are:

• Yes
• Yes to All
• No
• No to All
• Suspend

So, you can choose whether to abandon the job at any time. If you do, the command doesn’t roll back, which means that the accounts you unlocked up to that point will remain available for the users.

Automated Active Directory management tools

The Active Directory interface is a little clunky. Although most regular users get used to the front-ends quirks, there are a lot of AD management tools available that make administering the system a lot easier and they have much better consoles.

It can take a lot of time to research the market and identify some good candidate systems, so we have produced a shortlist of the best systems available today.

Here is our list of the five best automated user account unlocking tools for Active Directory:

1. Dameware Remote Support EDITOR’S CHOICE A support team package that includes an account unlocking utility and specialized Active Directory account management features. Installs on Windows. Get a fully functional 14-day free trial.
2. ManageEngine ADSelfService Plus (FREE TRIAL) A package that is centered on a portal that allows users to reset their accounts and there is also an automated unlock tool for technicians. It runs on Windows Server. Start a 30-day free trial.
3. ManageEngine ADAudit Plus (FREE TRIAL) This software package provides file integrity monitoring and protection for AD objects, with a lockout analyzer among its tools. Runs on Windows Server, Azure, and AWS. Start a 30-day free trial.
4. Netwrix Account Lockout Examiner A free package that identifies locked accounts, explains the reason for the locks, and allows the unlocking of each account. It runs on Windows and Windows Server.
5. AD Pro Toolkit An unlocking service that is part of a bundle of system administration tools and offers details on each lock. It runs on Windows and Windows Server.
6. WiseDATAman Password Control A small free utility that provides powerful user account administration services. It is available for Windows and Windows Server.

Please note that it isn’t a good idea to automate the unlocking of user accounts on a trigger so that any account that gets locked will instantly be unlocked. The locking mechanism is a security feature and if you have a defense tool with automated threat remediation, that service will have locked those accounts for a reason. It is better to leave accounts locked while you investigate the reason.

Using this set of criteria, we looked for a range of AD management packages that include dedicated unlocking utilities.

1. Dameware Remote Support (FREE TRIAL)

Dameware Remote Support is an extensive package of tools for IT Department support teams and managed services providers. The system includes remote access, remote control, endpoint management, and system monitoring capabilities. It also has an account unlocking utility for Active Directory.

Key Features:

• Endpoint management
• System monitoring
• Active Directory management

Why do we recommend it?

Dameware Remote Support provides full remote access and remote desktop functions to manage a fleet of endpoints. One feature in the package is the ability to manage Active Directory domain controller entries. You can unlock accounts easily with this tool, quickly completing a Help Desk ticket and moving on to more complicated issues.

The Active Directory management features in the system include a password reset system as well as an account unlocking utility. The entire package is a collection of administrator tools that can be used by a remote support team.

Who is it recommended for?

This is a comprehensive system that is going to appeal to the IT support teams of large enterprises. The charge rate for the system is per copy, so you can easily expand your team by getting another license and installing the software. Smaller businesses with tight budgets would probably prefer a SaaS subscription package.

Dameware installs on Windows and Windows Server and you can read more about it in our Dameware Review. The system is available for a 14-day free trial.

2. ManageEngine ADSelfService Plus (FREE TRIAL)

With ManageEngine ADSelfService Plus, technicians are provided with a tool to unlock accounts and the users are given another method. The self-service portal that comes with this package is designed to reduce lockouts due to password strength by including a guided password creation system.

Key Features:

• Password error prevention
• User controls
• Technician tools
• Unlocking on demand
• Password reset requestor

Why do we recommend it?

ManageEngine ADSelfService Plus provides a user portal in which the users can reset their own passwords. This is a great time saver for IT support teams because it cuts out a large number of Help Desk support requests. You can put your contact form for assistance requests in the self-service portal but draw attention to the password reset option.

The self-service portal enables users to reset their passwords and includes a password unlock request service. Account unlocking occurs automatically, without technician intervention. This means that the remaining locks are those imposed by the system because of intruder threats.

The administrator-based unlocking function is perhaps a little risky because it is possible to set up the system to automatically unlock locked accounts. This could undermine the efforts of IPSs to block intruders.

Who is it recommended for?

This package is suitable for use by large organizations with many users. The larger the user community, the more value a company would get from the ADSelfService Plus system. Pricing is scaled according to the number of users that are being managed. Small companies can access the Free edition, which manages up to 50 user accounts.

This system is a software package that runs on Windows Server. There is a free version of ManageEngine ADSelfService Plus. That is limited to managing 50 users. You can get a 30-day free trial of either of the two paid editions.

ManageEngine ADSelfService Plus Start 30-day FREE Trial

3. ManageEngine ADAudit Plus (FREE TRIAL)

ManageEngine ADAudit Plus is a package of security tools that implements file integrity monitoring and protection for Active Directory. Among the AD tools in the bundle is the Account Lockout Analyzer. The tool automatically identifies account lockout events and compiles a report for each user account, detailing where and when these events occurred.

Key Features:

• Lists account lockouts per user
• Identifies lockout reasons
• Provides compliance reports
• Identifies most frequently locked-out accounts

Why do we recommend it?

ManageEngine ADAudit Plus is an Active Directory assessor that is particularly useful for compliance management. The system also tracks user account activity, which makes it an insider threat and account takeover detection system. The tool will assess the security of the records in your AD domains, looking for problems, such as abandoned accounts.

ADAudit Plus provides auditing for Active Directory in general, not only lockout events. The system also logs all file access events and sorts through those records for compliance auditing. The lockout report is also needed for compliance reporting.

Who is it recommended for?

This system is a good choice for any business. There is a Free edition for small businesses, however, the Active Directory auditing feature of that package expires after 30 days. The lowest plan is suitable for managing a system with two domain controllers and is sold on a perpetual license at a reasonable price.

ManageEngine ADAudit Plus is available for Windows Server, AWS, and Azure. There is a Free edition but it doesn’t include the Account Lockout Analyzer and neither does the lower of the two paid accounts, which is called Standard. You need to get the Professional edition and you can get that on a 30-day free trial.

ManageEngine ADAudit Plus Start 30-day FREE Trial

4. Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner offers a search facility to identify all locked accounts through its graphical user interface. The details of each user record in the lockout list show the reason for the lock and also the resource that the user has tried to access. The tool also has a search facility, which enables Help Desk staff to enter a username and see that account’s lockout status.

Key Features:

• Free tool
• Identifies all unlocked accounts
• Account Search
• Lockout reason

Why do we recommend it?

Netwrix Account Lockout Examiner doesn’t just let you reset passwords but it examines the pattern of behavior of users when attempting and failing to access an account. Clearly, repeated access attempts can indicate a brute force password cracking attempt. So, an examination of why a user gets locked out is an important security monitoring task.

With this system, technicians can also unlock accounts. There isn’t a bulk automated unlock feature. However, that facility can be dangerous, so Netwrix know what they were doing when they left that option out.

Who is it recommended for?

This tool is recommended for all businesses large and small because it is free to use, which is great for SMBs, and it doesn’t have an account limit, which makes it useful for large organizations. This free tool is good to have on hand for periodic account checking.

The software for Netwrix Account Lockout Examiner installs on Windows and Windows Server. You can install the system on as many endpoints as you like because it is free to use.

5. AD Pro Toolkit

The AD Pro Toolkit bundle includes 13 tools for administering Active Directory. Among these is the Active Directory User Unlock Tool. this is a useful and straightforward package that allows support staff to unlock an account without needing full access to Active Directory.

Key Features:

• Straightforward, single-use screen
• Displays all accounts
• Search for individual accounts

Why do we recommend it?

AD Pro Toolkit is a package of Active Directory management utilities and reporting services. The bundle includes the Active Directory Password Reset Tool. This service provides a quick way to search for a specific account and see its status, unlocking it if necessary. It is also possible to search for all locked accounts.

The tool supports two scenarios: a list of all locked accounts and a username search. The account details screen shows why the account was locked and offers a quick unlocking button. This is a useful feature because it provides enough information to allow the technician to decide whether the lock is valid.

Who is it recommended for?

It is possible to get the package on a single installation license or a site-wide license. There is also an edition for managed service providers. This is a package that will interest mid-sized and large organizations but it would probably be judged too expensive by smaller companies that would be more attracted to the Netwrix Account Lockout Examiner.

The price for a single license is $299. That package doesn’t include the AD ACL Permissions Scanner. That utility is included in the two other plans, which are a site license for $599 and an MSP license for $899. The software runs on Windows and Windows Server.

6. WiseDATAman Password Control

WiseDATAman Password Control is a small utility that presents a record searching form and then displays just one matching record. Although this system doesn’t have a bulk locked account listing screen, its compact layout provides a lot of tools in one small space and that includes an option to unlock accounts.

Key Features:

• Small interface
• Single user display
• Unlocks accounts

Why do we recommend it?

WiseDATAman Password Control is a free tool. The package used to be charged for and so there is a license download process to go through in order to get the service running. However, this is a relatively easy step. The package allows an administrator to search through accounts, reset the password on an account, unlock accounts individually or in bulk, and to specify that all users reset their password on their next login.

This tool is a substitute for the Properties window for an account in the Active Directory system. However, it is very useful because it allows a Help Desk technician limited and controlled access to the AD system.

Who is it recommended for?

This is a very similar tool to the Netwrix Account Lockout Examiner. The Netwrix system has more analytical tools in it but the password reset services are a close match to the functions of the WiseDATAman Password Control service. Try them both and see which you prefer.

Although this is not an automated tool, it saves the user typing in PowerShell commands and it is free to use. The software runs on Windows and Windows Server.