What does "Unlocking" an AD account that is not locked do?

You can usually tell when an AD account is locked, as it will tell you alongside the check-box to "Unlock" said account.

Although, I wanted to know if there is any reason I would check this box off when the account is not locked? If so, what does "Unlocking" this account do?


Solution 1:

On down-level DCs (2000 and 2003) the "Unlock account" checkbox used to be disabled if the account was not locked out, since if the account is not locked out there would be no reason to select that checkbox.

But in Longhorn, RODCs were introduced so now the "Unlock account" checkbox is always enabled now regardless of whether the account is actually locked or not. (Unless the user who is viewing the dialog box doesn't have permissions to write to the lockoutTime attribute of the account. Then the checkbox would be disabled.)

[More Info]

Resetting lockoutTime to 0 unlocks an account. It's really just writing to an attribute on the user account is all that the checkbox does.

Setting lockoutTime to 0 in turn triggers urgent replication and resets badPwdCount to 0 as well.

If the user's lockoutTime is already 0, then setting it to 0 will reset badPwdCount to 0 and if badPwdCount was already 0 then it has no effect.