Locked Users – View and Unlock Directory-Locked Accounts

Overview

The Locked Users page displays directory users who have been locked out due to excessive failed authentication attempts. When an LDAP profile or Entra ID profile has user locking enabled and a user exceeds the configured maximum failed attempts, a lock record is created. The lock automatically expires after the configured duration, or administrators can manually unlock accounts.

This page is read-only — users cannot be manually added. Lock records are created automatically by the authentication system. The only available action is unlocking.

Access & Permissions

Required Role: Any authenticated user can view and unlock locked accounts.

Navigation: Home → Directory Settings → Locked Users

Role	View Locked Users	Unlock
ROOT	✅	✅
SUPER_ADMIN	✅	✅
ADMIN	✅	✅
OPERATOR	✅	✅

Features & Configuration

Data Grid Columns

The data grid uses server-side pagination, filtering, and sorting.

Column	Description	Sortable
Username	The locked user’s login name	Yes
LDAP Profile	Source LDAP profile hostname (if locked via LDAP)	Yes
Entra ID	Source Entra ID profile name (if locked via Entra ID)	Yes
Num Attempts	Number of failed attempts that triggered the lock	Yes
Locked At	Timestamp when the lock was applied	Yes (default: descending)
Locked Until	Computed expiration time (Locked At + lock duration)	No
Action	Unlock button	—

Unlock Action

Steps:

Locate the locked user in the data grid.
Click the Unlock icon in the Action column.
Confirm the unlock in the dialog.

Result: The lock record is deleted and the user can authenticate immediately.

How Users Get Locked

User locking is triggered by the authentication system, not configured on this page. The locking behavior is defined on the directory profiles:

From LDAP Profiles

When Lock LDAP Users is enabled on an LDAP Profile:

User attempts authentication against the LDAP directory.
Each failed attempt increments the attempt counter.
When the counter reaches Max Failed Attempts, a lock record is created.
The lock lasts for Minutes Locked duration.

From Entra ID Profiles

When Enable User Locking is enabled on an Entra ID Profile:

Same behavior as LDAP — failed attempts are counted.
Lock is applied when the threshold is reached.

Lock Duration

Configuration Value	Behavior
-1	Locked permanently (requires manual unlock)
0	Locking effectively disabled
1–1440	Locked for the specified number of minutes

Common Use Cases

Unlocking a User After Password Confusion

Verify the user’s identity through an out-of-band channel.
Find the user in the Locked Users list.
Click Unlock.
Instruct the user to retry with the correct password.

Monitoring Brute-Force Attempts

Review the Locked Users list for unusual patterns.
Note the Num Attempts column — very high numbers may indicate brute-force attacks.
Check the source directory (LDAP Profile or Entra ID column).
Cross-reference with Authentication Logs and Blocked Attempts.

Adjusting Lock Thresholds

If users are being locked too frequently:

Navigate to the source LDAP Profile or Entra ID Profile.
Increase the Max Failed Attempts value.
Consider reducing the Minutes Locked duration.

Troubleshooting

Issue	Possible Cause	Resolution
User remains locked after unlock	Lock record may have been recreated by continued failed attempts	Verify the user is using the correct credentials
No users appear	No users have been locked, or locking is disabled	Verify that user locking is enabled on directory profiles
”Locked Until” shows past time but user still listed	Lock has expired but record not yet cleaned up	The system treats expired locks as unlocked; the record is informational
Cannot determine lock source	Both LDAP Profile and Entra ID columns empty	This should not occur; check database integrity

LDAP Profiles — Configure user locking thresholds for LDAP directories
Entra ID Profiles — Configure user locking for Entra ID directories
Authentication Logs — Review failed authentication attempts
Blocked Attempts — View attempts blocked by Mideye Shield