Missing Unlock User Event in Okta after Auto-Unlock

Jun 30, 2025

Okta Classic Engine

Directories

Overview

This article explains why a user might fail to log into Okta with the following error in Okta System Logs, but then can sign back in later with no apparent "Unlock" event.

LOCKED_OUT

Applies To

Directories
Active Directory
Okta Classic Engine
Missing unlock event in Okta System Logs.
Users locked out after too many failed authentication attempts are automatically unlocked, and Okta does not log the unlock event.

Cause

Because delegated authentication is used to authenticate the user, an Active Directory Domain Controller performs the login. The LOCKED_OUT status in Active Directory does not propagate to the Okta User Profile. It is only a response to active authentication attempts against AD. If there is an Active Directory domain policy to auto-unlock the account, nothing is logged in Okta.

NOTE: Okta logs will not show lockout events for users locked out in AD if the authentication attempt did not go through Okta.
Confirm whether there is an auto-unlock policy in Active Directory.

Solution

To check the Account lockout duration in Active Directory, open the Group Policy Management Console and check the default domain policy (or whatever policy takes precedence) under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

Policy

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies