Restoring a local Linux account after a temporary hold, offboarding reversal, or password lock should target the block that actually prevents sign-in. Clearing the password lock and account expiry preserves the existing UID, home directory, groups, and password hash instead of replacing the account or changing credentials before the lock state is known.

On shadow-managed Linux systems, password locking and account expiry are separate fields in the local shadow database. passwd restores the hidden password hash, while usermod clears an expiry date that would still block access even after password authentication becomes usable again.

Local passwd and usermod changes apply only to accounts managed on the host itself. Directory-backed identities such as LDAP, Active Directory, or SSSD users must be unlocked in the upstream identity service, and a pam_faillock tally still needs its own reset if repeated failed logins triggered the block.

Related: How to lock a user account in Linux
Related: How to lock accounts after failed login attempts in Linux

Steps to unlock a local user account with passwd and usermod in Linux:

  1. Open a terminal on the Linux system with an account that can use sudo. 
    $ whoami
user
  2. Check whether the account password is currently locked. 
    $ sudo passwd --status audituser
audituser L 2026-04-14 0 99999 7 -1

    Replace audituser with the actual login name. A locked password commonly appears as L or LK, while a usable password commonly appears as P or PS.

  3. Review the account ageing data to see whether an expiry date is still blocking access. 
    $ sudo chage --list --iso8601 audituser
Last password change					: 2026-04-14
Password expires					: never
Password inactive					: never
Account expires						: 1970-01-02
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    If Account expires shows a past date, the account is still disabled even if the password itself becomes usable again.

  4. Unlock the stored password so password authentication can work again. 
    $ sudo passwd --unlock audituser
passwd: password changed.

    Use passwd --unlock only when the account still has a reusable local password hash. Set a new password if the password field is empty or no longer trusted.
    Related: How to change a user password in Linux

  5. Remove the account expiration date so the account is no longer administratively disabled. 
    $ sudo usermod --expiredate -1 audituser

    Passing -1 clears the expiration field and keeps the account available with no fixed expiry date.

  6. Verify that the password status now shows a usable password. 
    $ sudo passwd --status audituser
audituser P 2026-04-14 0 99999 7 -1

    Look for P or PS in the second field after the username.

  7. Verify that the account expiry is now cleared. 
    $ sudo chage --list --iso8601 audituser
Last password change					: 2026-04-14
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    Account expires : never shows the administrative expiry block has been removed.

    Unlocking the account does not repair shell restrictions, expired SSH keys, or upstream identity-service locks, so test the real login path separately if access is still denied.