Active Directory: Resetting User Passwords and Clearing Lockouts

6 min. read

The Ticket: The Monday Morning Password Crisis

User returned from his two-week vacation in Hawaii, forgot their complex password, and fat-fingered it enough times to trigger a domain-wide lockout. They have a meeting in five minutes, and they’re locked out of their workstation, email, and the ERP. Instead of creating a new User, we need to reset the credentials and clear the bad password count in the directory immediately.

Pre-Flight Check

• Permissions: Domain Admin or Account Operator rights.
• Tools: Active Directory Users and Computers (ADUC) or PowerShell.
• Impact: Low - The user will be required to create a new password upon their next login.

The Solution

1. Access Administrative Tools

• Log in to the Domain Controller or a management server with RSAT installed.

2. Navigate to ADUC Open Active Directory Users and Computers.

3. Locate and Reset

• Find the user in their specific Organizational Unit (OU).
• Right-click the user and select Reset Password.

4. Update Credentials

• New Password: Enter a complex temporary password.
• User must change password at next logon: Check this box. This is a non-negotiable MSP security standard that ensures the tech doesn't "own" the user's secret.
• Unlock the user's account: Check this box if the user is currently locked out due to too many failed attempts.

5. Finalize Click OK. The change propagates across the domain controllers nearly instantly.

The "Why" (Root Cause)

Why do we have to manually check "Unlock the user's account"? In Active Directory, a Password Reset and an Account Lockout are two separate flags in the database.

A lockout is triggered by the Default Domain Policy, which tracks the badPwdCount attribute. Even if you change the password to something the user knows, the lockoutTime attribute remains set, and the domain controller will continue to reject every login attempt until that timer expires or a technician manually clears the bit. By checking the box during a reset, you are zeroing out the "bad password" counter and allowing the Kerberos ticket-granting service to talk to the workstation again.

Under the Hood (Technical Deep Dive)

When you reset a password in the GUI, the console is performing an LDAP_MODIFY_PASSWORD operation. Behind the scenes, the Domain Controller updates the unicodePwd attribute. This attribute is write-only; even as an Admin, you can never "see" what the password is, you can only overwrite it.

If the user is at a remote site, the reset must propagate via Active Directory Replication. In a multi-site environment, this can take up to 15 minutes. If the user is in a hurry, you can find which DC the user's workstation is talking to and perform the reset on that specific DC to bypass replication lag.

Also, keep in mind the PDC Emulator role. If a user tries to log in with a wrong password at a satellite office, that DC immediately checks with the PDC Emulator (the "authority" on passwords) to see if the password was recently changed. This is a built-in "anti-lag" feature of the Windows login process.

RMM & Automation Tips

• Self-Service Portals: If your MSP uses a tool like CloudRadial or Adaxes, you can automate this so users can reset their own passwords via a text message code, saving your helpdesk 20 tickets a week.
• PowerShell Reset: If you need to reset a password via the RMM terminal without opening the GUI: Set-ADAccountPassword -Identity "username" -NewPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force) -Reset Unlock-ADAccount -Identity "username"

Troubleshooting & Edge Cases

• Edge Case 1: "Password does not meet requirements": This means your temporary password is too short or doesn't have enough character types (Upper, Lower, Number, Symbol) to satisfy the Fine-Grained Password Policy.
• Edge Case 2: User is still locked out: If you reset and unlock, but the user immediately locks out again, they likely have a "ghost" credential saved in Windows Credential Manager on a phone or laptop that is spamming the server with the old password. Check their mobile devices!