--------------------------- Unlocked user "target_username" --------------------------- Use code with caution. How to Unlock a User via the Web UI
Click on the tab in the top navigation bar, then select Users .
By default, only high-level administrators can unlock accounts. However, you can delegate this specific task to help-desk staff by creating a custom role: Permission : Create a permission with krbloginfailedcount krblastadminunlock : Group the permission into a "Unlock" privilege.
timestamp, allowing the user to attempt login again immediately. Administrative Privilege: ipa user-unlock
Unlocked account "jsmith"
In the context of (Identity, Policy, Audit), the user-unlock
When a user exceeds the maximum allowed failures, the underlying LDAP attribute nsAccountLock is set to true , and Kerberos authentication tokens (tickets) are denied for that user. The Anatomy of the ipa user-unlock Command However, you can delegate this specific task to
: Ensure you have an active Kerberos ticket as an administrator. kinit admin Use code with caution. Copied to clipboard Verify Status : Before unlocking, check if the user is actually locked. ipa user-status Use code with caution. Copied to clipboard Execute the Unlock : Run the dedicated unlock command. ipa user-unlock Use code with caution. Copied to clipboard Method 2: Using the Web UI (The Visual Approach)
Before unlocking, you may want to verify if the account is actually locked or just disabled. Check status: ipa user-status Distinction: account is due to password failures; a account is a manual state set by an admin using ipa user-disable . You must use ipa user-enable to fix a disabled account, not user-unlock 🛡️ Delegating Unlock Permissions
ipa user-status svc_reports_02
If lockouts are too frequent across the whole organization, consider adjusting the global password policy: ipa pwpolicy-mod --maxfail=10 --lockouttime=600 Use code with caution.
Click the drop-down menu located at the top right of the user details page. Select Unlock from the options.