Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Account Unlock Procedures

            Modified on Tue, Sep 30, 2025 at 11:30 AM

            These procedures cover unlocking employee accounts in Active Directory and DUO and resetting Windows passwords. VPN users can get locked in DUO in addition to Active Directory.

            • 1. Identify the employee

              If the employee is not personally known to you by voice, you need to confirm that the caller is who they claim to be. This is done by having them confirm their employee ID number. On our end, the employee ID number is in the Description field of the employee's AD object. Alternatively, send them a test push in Duo.  If that is not an option, have them confirm the phone number they use for Duo and the name of their manager. IT can confirm this information in Duo and in the employee directory on the intranet. 

            • 2. Unlock - Active Directory

              If the end user was not successful in unlocking themselves using the ADSelfService Plus self-unlock tool, you can unlock their account for them.  Go the the Account tab of the employee's AD object. If the account is locked in AD, it will state "This account is currently locked out on this Active Directory Domain Controller." Check the box next to Unlock Account, click on Apply and then click OK. Have the employee try logging in again.

            • 3. Unlock - Firewall (ancient history)

              Previously, on the Palo Alto firewall, VPN users could also get locked out on the firewall if they entered a bad password in the GlobalProtect client.  This is no longer the case on the Sophos Connect VPN - a VPN user would only get locked out in Active Directory, which is what the Sophos firewall syncs with.
              Old PaloAlto instructions: Go to the firewall for the GlobalProtect portal that the employee is trying to connect to. Then go to the Device tab and select Authentication Profile. If the account is locked on that firewall, it will show up under the Locked Users column. Clicking on the account name will unlock it. VPN Portal / Firewall:
              VPN.ffl.net https://lkpa.ffl.net
              VPNBU.ffl.net https://colpa.ffl.net
              BSBVPN.ffl.net https://bppa.ffl.net
              JAXVPN.ffl.net https://jaxpa.ffl.net

            • 4. Unlock - DUO

              VPN users can get locked in DUO if they ignore the prompts 10 consecutive times. Log in to DUO at https://admin-95654f82.duosecurity.com/login?next=%2F. Select the user under Users by clicking on the link for their user ID. Change their status from Locked to Active using the radio buttons then Save Changes.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0