Information Technology Reference
In-Depth Information
6-14. Managing Remote Access Account Lockouts
Problem
You want to view user accounts that have been locked by your remote access or IAS policy, and
to unlock one or all of these accounts.
Solution
Using the Registry
To view the list of users whose accounts have been locked by the remote access or IAS policy,
view the entries in the following Registry subkey.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\
Parameters\AccountLockout]
All locked accounts will have an entry under this key, formatted as
DomainName
:
AccountName
.
To unlock a user account, navigate to the same Registry key and delete the appropriate
DomainName
:
AccountName
entry.
Using VBScript
This script will unlock a user account:
' This code will unlock the account of a user named "jsmith"
' remote access account lockout
' ------ SCRIPT CONFIGURATION ------
strLockoutKey = " SYSTEM\CurrentControlSet\Services\RemoteAccess\" & _
"Parameters\AccountLockout"
strDomain = "COMPANY.COM"
strUser = "jsmith"
' ------ END CONFIGURATION ---------
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.RegDelete "HKLM\" & strLockoutKey & "\" & strDomain & ":" & strUser
WScript.Echo("Account " & strUser & " unlocked")
How It Works
Unlike domain account lockouts that can be unlocked through the Active Directory Users and
Computer graphical user interface in addition to command-line and VBScript options, remote
access account lockout information is stored in the Registry of the RAS or IAS server. If you
need to unlock a user account before the default reset time has elapsed, you need to navigate
to the
~\Services\RemoteAccess\Parameters\AccountLockout
key and delete the Registry key
