Restoring a local user account removes an administrative block after a temporary hold, an offboarding reversal, or a password lock that should no longer prevent sign-in. Unlocking the existing account cleanly is safer than replacing the password first because it preserves the current credential and targets the actual access block.
On shadow-managed Linux systems, password locking and account expiry are separate controls stored in /etc/shadow. passwd –unlock restores the previous password hash that was hidden by passwd –lock, while usermod –expiredate -1 clears an expiry date that would still block access even after the password becomes usable again.
These steps apply to local accounts that are managed on the host itself. Directory-backed identities such as LDAP, Active Directory, or SSSD users must be unlocked in the upstream identity service, and a pam_faillock tally still needs its own reset if repeated failed logins triggered the block.
Steps to unlock a local user account with passwd and usermod in Linux:
- Open a terminal on the Linux system with an account that can use sudo.
$ whoami user
- Check whether the account password is currently locked.
$ sudo passwd --status audituser audituser L 2026-04-14 0 99999 7 -1
Replace audituser with the actual login name. A locked password commonly appears as L or LK, while a usable password commonly appears as P or PS.
- Review the account ageing data to see whether an expiry date is still blocking access.
$ sudo chage --list --iso8601 audituser Last password change : 2026-04-14 Password expires : never Password inactive : never Account expires : 1970-01-02 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
The important line here is Account expires. A past date means the account is still disabled even if the password itself becomes usable again.
- Unlock the stored password so password authentication can work again.
$ sudo passwd --unlock audituser passwd: password changed.
passwd –unlock restores the password value that was active before passwd –lock added the leading ! in /etc/shadow.
If the account no longer has a reusable local password hash, set a new password instead of forcing an unlock on an empty password field.
- Remove the account expiration date so the account is no longer administratively disabled.
$ sudo usermod --expiredate -1 audituser
Passing -1 clears the expiration field and keeps the account available with no fixed expiry date.
- Verify that the password status now shows a usable password.
$ sudo passwd --status audituser audituser P 2026-04-14 0 99999 7 -1
The important state change is the second field. A usable password shows as P or PS depending on the distribution.
- Verify that the account expiry is now cleared.
$ sudo chage --list --iso8601 audituser Last password change : 2026-04-14 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Account expires : never confirms the administrative expiry block has been removed.
Unlocking the account does not repair shell restrictions, expired SSH keys, or upstream identity-service locks, so test the real login path separately if access is still denied.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
