How to Unlock a Locked Active Directory (AD) Account

How to Unlock a Locked Active Directory (AD) Account

Created: 06/19/2025
Last Updated: 06/19/2025

Summary:
This article explains how to unlock a user account in Active Directory that has been locked due to failed login attempts or security policies.

Applies To:
System/Platform: Windows Server, Active Directory
User Level: Tier 1, IT Staff

Steps:

1. Open Active Directory Users and Computers (ADUC):
   
   

   • Press Win + R, type dsa.msc, and press Enter.
     
     

   • Alternatively, open from the Start Menu if installed.
     
     

2. Find the Locked Account:
   
   

   • In the left pane, navigate to the appropriate Organizational Unit (OU).
     
     

   • Right-click the user account and select Properties.
     
     

3. Unlock the Account:
   
   

   • In the Account tab, check the box next to Unlock account if visible.
     
     

   • If not visible, the account may already be unlocked or unlocking is done automatically based on Group Policy.
     
     

   • Click OK to save changes.
     
     

4. Reset Password (Optional):
   
   

   • Still in Properties, click Reset Password to issue a new temporary password if needed.
     
     

   • Ensure "User must change password at next logon" is selected.
     
     

Troubleshooting Tips:

• Use Event Viewer on a domain controller to identify lockout source (Event ID 4740).
  
  

• Use Account Lockout Tools (e.g., LockoutStatus.exe) to find which machine is causing repeated lockouts.
  
  

• Check for saved credentials on user devices or scheduled tasks using outdated passwords.
  
  

Related Articles:
[How to Reset a Locked User Account Password]
[Understanding AD Account Lockout Policies]

Contributor Notes (Optional):
This guide assumes domain admin or delegated permissions in AD.

License:
This article is shared under a Creative Commons Attribution 4.0 International License. You’re free to copy, share, or adapt it as long as you give credit.