Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

How to Automate Account Unlocks for Active Directory Users

/ April 22, 2022 — Active Directory

How to Automate Account Unlocks for Active Directory Users

Average User Rating

    Have you ever been locked out of your system due to failed login attempts? Well! If that is the case, it is due to the Account lockout threshold policy. In most cases, failed login attempts are accidental, i.e., it generally happens when a user forgets the details or submits the credentials incorrectly.

    However, some people intentionally try to sign in to your account and make attempts to crack the password. Thus, to stop or prevent any data loss, the user account locks out the remote attackers.

    Denial of Service (DoS) attacks and Malicious attempts to guess user passwords are a few unique threats that user accounts might face. Thus, to protect internal data, one must incorporate pre-configured lockout strategies.

    Here we will discuss account lockout and the main elements of the Account Lockout Policy in Active Directory.

    What is an Account Lockout?

    Device owners might be very familiar with the practice of lockout as it has been existing for a long time. For instance, most iPhone users would have faced timed lockout (disabling screens for some time after failed passcode attempts). In the case of a personal device, users can even choose to wipe out devices after multiple failed attempts.

    However, things are a bit different with remote systems. Our servers carry a lot of day-to-day information and share it with team members regularly. Wiping out a server or resources like personal devices is not a solution and can cause a lot of loss in the future.

    Instead, administrators must introduce policies to block such accounts.

    Attackers are always on a move and can target your accounts to hack and exploit cybersecurity vulnerabilities. By disabling the account, you can put the attacker on hold and later take actions to add another layer of protection, such as changing the password, etc.

    In fact, with a lockout policy, the real owners also fail to access key resources for some time. The main purpose of implementing account lockout policies is to reduce online password-guessing attacks and examine potential security breaches. Check out the main elements of lockout policies and a few considerations to prevent data loss.

    Main Element of Active Directory Account Lockout Policies

    Each device or server has a lockout policy to protect data from threats and unauthorized users. Whenever a user submits credentials, the system begins monitoring the login behavior and takes necessary actions as per the need. In an account lockout policy, there are three main elements:

    • Account Lockout Threshold Every time a user makes a false login attempt, it affects the attribute referred to as badPwdCount. Initial failed login turns the count to one. If the user continues to make failed login attempts after a set number of times, the account gets locked. Active Directory allows a number between 0 and 999, however, its default value is 0. Accounts with a set value of zero hardly lockout automatically.
    • Account Lockout Duration This element decides how many minutes an account will remain locked. Administrators have access to set a value between 0 to 99,999.Remember, the moment time elapses, your account will automatically get unlocked unless admins have set the duration to zero. In that case, only admins can manually unlock these affected accounts by connecting Active Directory, its users, and the computers (ADUC) console.
    • Reset Account Lockout Counter After The element defines how long it will take to reset the failed-login counter. For example, a user submits an incorrect password that turns the failed-login counter to 1. If the user stops and makes no further attempt, the count will turn to zero. However, if the user continues and exceeds the lockout duration value, then the authentication system will lock the account. Once unlocked, the counter will reset itself for a fresh start.

    Lockout Policy Considerations

    Many reasons result in an Active Directory account lockout, such as submission of out-of-date service login passwords, drive mappings with out-of-date credentials, a user accessing AD from multiple devices, etc.

    To prevent user accounts from DoS attacks, Microsoft recommends setting the threshold value as 0 or a high number and a lockout duration of around 15 minutes. A threshold value set to be zero prevents Denial of Service (DoS) attacks.

    Administrators must also configure alerts to instantly inform team members about failed login events.

    Follow an approach based on how many lockout instances you are noticing and what suits your environment. Apply a lockout policy that permits managing the number of account reset attempts in an Active Directory.

    How to Unlock User Accounts in Active Directory Using PowerShell

    First, you will need to import the RSAT-AD-Powershell module into your session. You can import it with the following command:

    Import-module Active Directory

    To check if the user account is locked, run the following command in the PowerShell:

    Get-ADUser -Identity hjethva -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize

    If the account is locked, you will get the following output:

    samaccountName    Lockedout
--------------                  ---------
(       ,                         True

    If you want to see the user lock time, run the following command:

    Get-ADUser hjethva -Properties Name,lockoutTime | Select-Object Name,@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}}

    You will get the following output:

    Name                lockoutTime
----                    -----------
hitesh jethva    2/12/21 4:30:32 OM

    To get a list of all accounts that are locked out, run the following command:

    Search-ADAccount -LockedOut

    You will get the following list:

    AccountExpirationDate :
DistinguishedName     : CN=hitesh jethva,OU=IT Users,DC=ad,DC=example,DC=com
Enabled               : True
LastLogonDate         :
LockedOut             : True
Name                  : hitesh jethva
ObjectClass           : user
ObjectGUID            : 32638462-1294-2387-2398-df8723871253
PasswordExpired       : True
PasswordNeverExpires  : False
SamAccountName        : hjethva
SID                   : S-1-2-22-2022894387-1594857317-8702342956-1422
UserPrincipalName     : hjethva@example.com

AccountExpirationDate :
DistinguishedName     : CN=vyom shah,OU=IT Users,DC=ad,DC=example,DC=com
Enabled               : True
LastLogonDate         :
LockedOut             : True
Name                  : vyom shah
ObjectClass           : user
ObjectGUID            : 32939862-1391-2157-2918-af8224875263
PasswordExpired       : True
PasswordNeverExpires  : False
SamAccountName        : vshah
SID                   : S-1-2-22-2022894387-1594857317-8702342956-1422
UserPrincipalName     : vshah@example.com

AccountExpirationDate :
DistinguishedName     : CN=jay shah,OU=IT Users,DC=ad,DC=example,DC=com
Enabled               : True
LastLogonDate         :
LockedOut             : True
Name                  : jay shah
ObjectClass           : user
ObjectGUID            : 86932362-5331-2656-2218-ff4225875a62
PasswordExpired       : True
PasswordNeverExpires  : False
SamAccountName        : jshah
SID                   : S-1-2-22-2022894387-1594857317-8702342956-1422
UserPrincipalName     : jshah@example.com

    To unlock a single user account, run the following command:

    Get-ADUser -Identity hjethva | Unlock-ADAccount

    Or

    Unlock-ADAccount -Identity hjethva

    To unlock all locked user accounts, run the following command:

    Search-ADAccount -Lockedout | Unlock-AdAccount

    Conclusion

    Account Lockout occurs when a user crosses the set of failed login attempts. The purpose of implementing account lockout in devices, servers, and Active Directories is to prevent any unauthorized user from entering your account and gaining access to sensitive information.

    Account lockout can happen due to various reasons, such as bad password limit, programs with cached credentials, users forgetting to update stored passwords, submission of out-of-date service login passwords, a user accessing AD from multiple devices, etc.

    No doubt, most people have faced the issue of forgetting passwords and would have locked their accounts by submitting incorrect passwords. If you remember after the first failed login attempt, the screen displays a number stating how many attempts are left for the user. When the threshold exceeds, the account gets locked.

    The method helps slow down all the online password-guessing attacks. Another benefit of the account lockout policy is it helps examine potential security breaches using brute force attempts.

    You can protect your data from Denial of Service (DoS) attacks by adopting a strict account lockout policy. Make sure to set the threshold value as zero or a high number and a lockout duration of around 15 minutes. Also, configure the alert option to immediately update team members as a user makes failed login attempts.

    Account Lockout Threshold, Account Lockout Duration, and Reset Account Lockout Counter After are the main elements of Active Directory Account Lockout Policies. Make changes to these elements as needed and take necessary actions as per the login behavior.

    Information

    About