Skip to content

Locked Users – View and Unlock Directory-Locked Accounts

The Locked Users page displays directory users who have been locked out due to excessive failed authentication attempts. When an LDAP profile or Entra ID profile has user locking enabled and a user exceeds the configured maximum failed attempts, a lock record is created. The lock automatically expires after the configured duration, or administrators can manually unlock accounts.

This page is read-only — users cannot be manually added. Lock records are created automatically by the authentication system. The only available action is unlocking.

Required Role: Any authenticated user can view and unlock locked accounts.

Navigation: Home → Directory Settings → Locked Users

| Role | View Locked Users | Unlock | |------|------------------|--------| | ROOT | ✅ | ✅ | | SUPER_ADMIN | ✅ | ✅ | | ADMIN | ✅ | ✅ | | OPERATOR | ✅ | ✅ |

The data grid uses server-side pagination, filtering, and sorting.

| Column | Description | Sortable | |--------|-------------|----------| | Username | The locked user's login name | Yes | | LDAP Profile | Source LDAP profile hostname (if locked via LDAP) | Yes | | Entra ID | Source Entra ID profile name (if locked via Entra ID) | Yes | | Num Attempts | Number of failed attempts that triggered the lock | Yes | | Locked At | Timestamp when the lock was applied | Yes (default: descending) | | Locked Until | Computed expiration time (Locked At + lock duration) | No | | Action | Unlock button | — |

Steps:

  1. Locate the locked user in the data grid.
  2. Click the Unlock icon in the Action column.
  3. Confirm the unlock in the dialog.

Result: The lock record is deleted and the user can authenticate immediately.


User locking is triggered by the authentication system, not configured on this page. The locking behavior is defined on the directory profiles:

When Lock LDAP Users is enabled on an LDAP Profile:

  1. User attempts authentication against the LDAP directory.
  2. Each failed attempt increments the attempt counter.
  3. When the counter reaches Max Failed Attempts, a lock record is created.
  4. The lock lasts for Minutes Locked duration.

When Enable User Locking is enabled on an Entra ID Profile:

  1. Same behavior as LDAP — failed attempts are counted.
  2. Lock is applied when the threshold is reached.

| Configuration Value | Behavior | |-------------------|----------| | -1 | Locked permanently (requires manual unlock) | | 0 | Locking effectively disabled | | 1–1440 | Locked for the specified number of minutes |

  1. Verify the user's identity through an out-of-band channel.
  2. Find the user in the Locked Users list.
  3. Click Unlock.
  4. Instruct the user to retry with the correct password.
  1. Review the Locked Users list for unusual patterns.
  2. Note the Num Attempts column — very high numbers may indicate brute-force attacks.
  3. Check the source directory (LDAP Profile or Entra ID column).
  4. Cross-reference with Authentication Logs and Blocked Attempts.

If users are being locked too frequently:

  1. Navigate to the source LDAP Profile or Entra ID Profile.
  2. Increase the Max Failed Attempts value.
  3. Consider reducing the Minutes Locked duration.

| Issue | Possible Cause | Resolution | |-------|---------------|------------| | User remains locked after unlock | Lock record may have been recreated by continued failed attempts | Verify the user is using the correct credentials | | No users appear | No users have been locked, or locking is disabled | Verify that user locking is enabled on directory profiles | | "Locked Until" shows past time but user still listed | Lock has expired but record not yet cleaned up | The system treats expired locks as unlocked; the record is informational | | Cannot determine lock source | Both LDAP Profile and Entra ID columns empty | This should not occur; check database integrity |