Unlocking user accounts

A user account can be locked for one of the following reasons:

The following text describes how you can provide users with means to unlock their accounts.

Password expired

When an account is locked due to password expiration, the system asks the user to change their password in order to unlock the account. You can find more information in Password expiration.

Alternatively, administrators can extend the password’s validity.

Invalid sign-in attempts exceeded

When an account is locked due to an exceeded number of invalid sign-in attempts, administrators can reset the invalid sign-in attempt counter manually:

  1. Open the Users application.
  2. Edit the given user.
  3. Click Reset next to the Invalid sign-in attempts field.

To allow users to unlock their own accounts, you need to utilize unlock emails. You can set up the following options via the settings in Settings -> Security & Membership -> Protection:

  • Automatic email notification when the sign-in attempt limit is exceeded – enable the Send unlock account email setting.

  • Messages that inform about locked accounts during sign-in and allow users to request an unlock email – enable the Display account lock information message setting.

    Note: Displaying account lock information on sign-in is not recommended, because it can inform potential attackers that a user account with a given username exists and is locked.

The content of the emails is based on the Membership - User account locked email template. The template must contain a link to an account unlock page – to generate a valid URL of the unlock page for the email’s recipient, use the {% UnlockAccountUrl %} macro.

By default, the unlock link targets the ~/CMSModules/Membership/CMSPages/UnlockUserAccount.aspx system page. If you wish to adjust the design or content of the account unlock page for your website, you can create a custom one:

  1. Create a page containing one of the following components:
    • Unlock user account web part (for portal engine pages)
    • The UnlockUserAccount control for custom web form pages or ASPX page templates (the control is located in ~/CMSModules/Membership/Controls/UnlockUserAccount.ascx)
  2. Open the Settings application.
  3. Select the Security & Membership -> Protection category.
  4. Enter the page of your custom unlock page into the Unlock user account path setting.
  5. Click Save.

The account unlock links generated in the emails (by the {% UnlockAccountUrl %} macro) now target your custom page.