Enable manual account unlock using administrative account

On the Admin Portal> Domains > Advanced page, you can configure Privileged Access Service to manually unlock account passwords for domain accounts and local accounts on domain-joined Windows systems using the domain administrative account. This requires users to have the Unlock Account permission set at the domain level. Under Enable Manual Account Unlock you can enable the following:

  • Domain Accounts

    Enables users with the proper permissions to use the domain administrative account to manually unlock managed domain account passwords stored in Privileged Access Service.

  • Local Accounts

    Enables users with the proper permissions to use the domain administrative account to manually unlock passwords for managed local accounts on domain-joined Windows systems stored in Privileged Access Service. For information on setting up local system account password reconciliation, see Configuring Windows local account password reconciliation. Make sure the corresponding local account setting is also enabled in Systems> Advanced > Local Account Manual Unlock (see Setting system‑specific advanced options).

Before enabling this policy you need to:

Note:   If an account that is set as the Privileged Access Service administrative account for the domain is locked, that account cannot be unlocked. An administrative account cannot unlock itself. For instance, if maria.garcia@cpubs.net is locked, the administrative account assigned to cpubs.net is used to unlock the account. However, if maria.garcia@cpubs.net is set to be the administrative account, the account cannot be unlocked.