Unlocking user accounts

A user account can be locked for one of the following reasons:

The following text describes how you can provide users with means to unlock their accounts.

Password expired

When an account is locked due to password expiration, the particular user will be asked to change their password in order to unlock their account. You can find more information in the Password expiration topic.

Alternatively, you can extend the password’s validity.

Invalid logon attempts exceeded

When an account is locked due to exceeding the number of invalid logon attempts, the particular user will have to manually unlock their account. You can enable them to do that by directing them to the ~/CMSModules/Membership/CMSPages/UnlockUserAccount.aspx page.

Alternatively, you can create a custom page for unlocking accounts, on which you can place one of the following components:

  • Unlock user account web part - a web part you can use in the Portal engine development model.
  • UnlockUserAccount control - an alternative to the Unlock user account web part, which can be placed on an ASPX page. The control is located in ~/CMSModules/Membership/Controls/UnlockUserAccount.ascx.


You can then specify whether you want users to receive an e-mail notifying them that their account has been locked in the Send unlock account e‑mail setting in Settings -> Security & Membership -> Protection. The notification e‑mail uses the Membership - User account locked template. You can insert a link to the account unlock page with the {% UnlockAccountUrl %} macro.

Users can also be notified directly when logging in. To enable this option, set the Display account lock information message setting to true. However, enabling this feature is not recommended, since it can reveal to a potential attacker the fact, that they’ve managed to lock a user’s account.