Ipa User-unlock Jun 2026

Search for and click on the specific that is locked.

: Navigate to the Users tab, select the locked user, and use the Actions menu to select Unlock .

If you want to modify these settings globally, use the ipa pwpolicy-mod utility. For example, to increase the maximum allowed failures to 5 attempts and set an automatic unlock duration of 15 minutes (900 seconds), run: ipa pwpolicy-mod --maxfail=5 --lockouttime=900 Use code with caution.

The basic syntax to unlock a user account using ipa user-unlock is:

The ipa user-unlock command is a FreeIPA (Identity Management) tool used by administrators to re-enable a user account that has been locked. ipa user-unlock

Before attempting to use any unlocking tool, be aware of the significant limitations:

: You must be authenticated as a user with sufficient privileges (typically an administrator). Run kinit admin before attempting the unlock. Permissions : The performing user needs the System: Unlock User permission. Lock Status

IdM typically includes a built-in reset period that automatically unlocks user accounts after a specific amount of time passes. However, there are situations where manual intervention becomes necessary:

The primary utility for resolving this disruption is the command. This comprehensive guide covers how to check account statuses, execute manual unlocks via the CLI and Web UI, and customize your domain's lockout parameters to prevent future operational bottlenecks. Anatomy of an Identity Management Lockout Search for and click on the specific that is locked

Sometimes running the unlock command results in an error message rather than a success confirmation. Below are the most common scenarios and how to resolve them. Error: "Kerberos Credential Cache Not Found"

To prevent frequent lockouts, you can adjust the thresholds in the Global Password Policy:

Unlocking an account resets the failure counter but does change the user's password. If the user forgot their password, unlocking the account will only result in them locking it again on their next attempt. In cases of forgotten credentials, use the password reset command instead: ipa user-mod target_username --password Use code with caution.

By default, FreeIPA uses a Password Policy (managed via ipa pwpolicy-show ) that defines: How many wrong guesses are allowed. For example, to increase the maximum allowed failures

Are you trying to diagnose a specific causing unlocking to fail? Share public link

Quick Guide: Using ipa user-unlock

ipa user-unlock --help