Locked users

Self-managed users

Configurable locked user policy introduced in GitLab 16.5.

By default, users are locked after 10 failed sign-in attempts. These users remain locked:

  • For 10 minutes, after which time they are automatically unlocked.
  • Until an administrator unlocks them from the Admin Area or the command line in under 10 minutes.

In GitLab 16.5 and later, administrators can use the API to configure:

  • The number of failed sign-in attempts that locks a user (max_login_attempts).
  • The time period in minutes that the locked user is locked for, after the maximum number of failed sign-in attempts is reached (failed_login_attempts_unlock_period_in_minutes).

For example, an administrator can configure that five failed sign-in attempts locks a user, and that user will be locked for 60 minutes, with the following API call:

curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/application/settings?max_login_attempts=5&failed_login_attempts_unlock_period_in_minutes=60"

GitLab.com users

If 2FA is not enabled users are locked after three failed sign-in attempts within 24 hours. These users remain locked until:

  • Their next successful sign-in, at which point they are sent an email with a six-digit unlock code and redirected to a verification page where they can unlock their account by entering the code.
  • GitLab Support manually unlock the account after account ownership is verified.

If 2FA is enabled, users are locked after three failed sign-in attempts. Accounts are unlocked automatically after 30 minutes.

Unlock a user from the Admin Area

  1. On the left sidebar, at the bottom, select Admin Area.
  2. Select Overview > Users.
  3. Use the search bar to find the locked user.
  4. From the User administration dropdown list, select Unlock.

Unlock a user from the command line

To unlock a locked user:

  1. SSH into your GitLab server.
  2. Start a Ruby on Rails console:

    ## For Omnibus GitLab
    sudo gitlab-rails console -e production
    
    ## For installations from source
    sudo -u git -H bundle exec rails console -e production
    
  3. Find the user to unlock. You can search by email:

    user = User.find_by(email: 'admin@local.host')
    

    Or you can search by ID:

    user = User.where(id: 1).first
    
  4. Unlock the user:

    user.unlock_access!
    
  5. Exit the console with Control+d.

The user should now be able to sign in.