How to unlock user account with Exchange ECP?

Question

Following the Internets, I've been able to add the ability to reset user passwords (and mark accounts to "Require password change on next logon") from the Exchange 2013/2016 web ECP, but I'm wondering if there's also a way to unlock accounts from this same interface.

Frequently, user accounts are locked because they need their passwords reset.

Is this simply another canned RBAC role that I'm unaware of?

score 1 · Answer 1 · answered Apr 17 '18 at 14:49

I'd comment but I don't have 50 rep.

Is there any reason you can't just unlock their accounts from the AD Users and computers?

Also, Check the IIS logs to see what client is locking out the user. If the user has a device that actively syncs with the exchange server and the users password has changed this might cause their accounts to be locked repeatedly. I had a similar issue with a QNAP NAS server and an Ipad using QFile. Try getting the user to sign out/remove their account on any device they use for email.

As far as unlocking their account from the exchange management console no, as far as I am aware you can't unlock someones account from the management console. You'll need to unlock it from AD users and computers.

My guess would be that ECP (in OP's particular situation) is accessible anywhere - without having to VPN into the network to access ADUC. So, arguably more efficient to just use ECP if its available. — Semicolon, Apr 17 '18 at 17:01
@Semicolon, my thoughts exactly. Of course I can, and do, unlock from ADUC, but ECP would be much more convenient, especially if I'm also using the "Reset Password" functionality. — Novox, Apr 20 '18 at 14:21

score 0 · Answer 2 · answered Apr 17 '18 at 20:54

0

From ECP no, however;

Maybe apply/modify GPO policies to prevent it happening in the first place?

https://technet.microsoft.com/en-us/library/dd277400.aspx

answered Apr 17 '18 at 20:54

dqnet

305
2
9

I have to lock accounts after a specific number of bad attempts for PCI compliance. – Novox Apr 20 '18 at 14:24

score 0 · Answer 3 · answered Apr 18 '18 at 02:16

0

AFAIK,no built-in feature in ECP supports to unlock AD accounts, however, we can use EMS as a workaround：

Get-Aduser AccountName |Unlock-ADaccount

answered Apr 18 '18 at 02:16

Niko.Cheng

511
2
4

score 0 · Answer 4 · answered Apr 20 '18 at 14:51

Is this simply another canned RBAC role that I'm unaware of?

No. While it seems logical to include a method for unlocking user accounts when providing an interface to reset passwords, this does not appear to be a function included with the Exchange Admin Center (ECP). Either it was intentionally omitted or was simply an oversight.

However, as an alternative (if the object is to ease administrative burden by providing a means of unlocking an account through a web browser without VPN connection), I would suggest installing, configuring, and publishing Powershell Web Access. From its interface, you could easily connect to a domain controller and run the appropriate cmdlets to both reset the account's password and unlock the account.

Unfortunately, PSWA was released as a feature after I had left my last PCI-compliant shop, so I do not know if this would be something opposed by their standards. That being said, I have used it in the past and I did find it useful from time to time.

Follow-up links:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012
https://blogs.technet.microsoft.com/fromthefield/2015/02/18/powershell-web-access-a-walkthrough/

How to unlock user account with Exchange ECP?

4 Answers4