Locked users

Tier: Free, Premium, Ultimate
Offering: Self-managed, GitLab Dedicated

Self-managed users

History

By default, users are locked after 10 failed sign-in attempts. These users remain locked:

For 10 minutes, after which time they are automatically unlocked.
Until an administrator unlocks them from the Admin area or the command line in under 10 minutes.

In GitLab 16.5 and later, administrators can use the API to configure:

The number of failed sign-in attempts that locks a user (max_login_attempts).
The time period in minutes that the locked user is locked for, after the maximum number of failed sign-in attempts is reached (failed_login_attempts_unlock_period_in_minutes).

For example, an administrator can configure that five failed sign-in attempts locks a user, and that user will be locked for 60 minutes, with the following API call:

curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/application/settings?max_login_attempts=5&failed_login_attempts_unlock_period_in_minutes=60"

GitLab.com users

If 2FA is not enabled users are locked after three failed sign-in attempts within 24 hours. These users remain locked until:

Their next successful sign-in, at which point they are sent an email with a six-digit unlock code and redirected to a verification page where they can unlock their account by entering the code.
GitLab Support manually unlock the account after account ownership is verified.

If 2FA is enabled, users are locked after three failed sign-in attempts. Accounts are unlocked automatically after 30 minutes.

Unlock a user from the Admin area

On the left sidebar, at the bottom, select Admin.
Select Overview > Users.
Use the search bar to find the locked user.
From the User administration dropdown list, select Unlock.

Unlock a user from the command line

To unlock a locked user:

SSH into your GitLab server.

Start a Ruby on Rails console:

## For Omnibus GitLab
sudo gitlab-rails console -e production

## For installations from source
sudo -u git -H bundle exec rails console -e production

Find the user to unlock. You can search by email:

user = User.find_by(email: 'admin@local.host')

Or you can search by ID:

user = User.where(id: 1).first

Unlock the user:
```
user.unlock_access!
```
Exit the console with Control+d.

The user should now be able to sign in.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support