How to unlock a user account in Linux

Restoring a local user account removes an administrative block after a temporary hold, an offboarding reversal, or a password lock that should no longer prevent sign-in. Unlocking the existing account cleanly is safer than replacing the password first because it preserves the current credential and targets the actual access block.

On shadow-managed Linux systems, password locking and account expiry are separate controls stored in /etc/shadow. passwd –unlock restores the previous password hash that was hidden by passwd –lock, while usermod –expiredate -1 clears an expiry date that would still block access even after the password becomes usable again.

These steps apply to local accounts that are managed on the host itself. Directory-backed identities such as LDAP, Active Directory, or SSSD users must be unlocked in the upstream identity service, and a pam_faillock tally still needs its own reset if repeated failed logins triggered the block.

Related: How to lock a user account in Linux
Related: How to automatically lock accounts after multiple failed login attempts in Linux

Steps to unlock a local user account with passwd and usermod in Linux:

  1. Open a terminal on the Linux system with an account that can use sudo. 
    $ whoami
user
  2. Check whether the account password is currently locked. 
    $ sudo passwd --status audituser
audituser L 2026-04-14 0 99999 7 -1

    Replace audituser with the actual login name. A locked password commonly appears as L or LK, while a usable password commonly appears as P or PS.

  3. Review the account ageing data to see whether an expiry date is still blocking access. 
    $ sudo chage --list --iso8601 audituser
Last password change					: 2026-04-14
Password expires					: never
Password inactive					: never
Account expires						: 1970-01-02
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    The important line here is Account expires. A past date means the account is still disabled even if the password itself becomes usable again.

  4. Unlock the stored password so password authentication can work again. 
    $ sudo passwd --unlock audituser
passwd: password changed.

    passwd –unlock restores the password value that was active before passwd –lock added the leading ! in /etc/shadow.

    If the account no longer has a reusable local password hash, set a new password instead of forcing an unlock on an empty password field.

    Related: How to change a user password in Linux

  5. Remove the account expiration date so the account is no longer administratively disabled. 
    $ sudo usermod --expiredate -1 audituser

    Passing -1 clears the expiration field and keeps the account available with no fixed expiry date.

  6. Verify that the password status now shows a usable password. 
    $ sudo passwd --status audituser
audituser P 2026-04-14 0 99999 7 -1

    The important state change is the second field. A usable password shows as P or PS depending on the distribution.

  7. Verify that the account expiry is now cleared. 
    $ sudo chage --list --iso8601 audituser
Last password change					: 2026-04-14
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    Account expires : never confirms the administrative expiry block has been removed.

    Unlocking the account does not repair shell restrictions, expired SSH keys, or upstream identity-service locks, so test the real login path separately if access is still denied.