Fix STATUS_ACCOUNT_DISABLED 0XC0000072 - Account Locked Out

Why You're Seeing Error 0XC0000072

You log in on a Windows 10 or 11 machine — maybe a domain-joined laptop or a local workstation — and instead of your desktop, you get a black screen with STATUS_ACCOUNT_DISABLED (0XC0000072). It's infuriating because there's no warning. This typically happens after an admin disables your account in Active Directory or via the Local Users and Groups snap-in. Common triggers: you left the company and were disabled, your account was flagged for inactivity, or an IT policy batch-disabled users during a cleanup. I've seen this bite people who were reactivated after a leave — the admin forgot to uncheck the disabled box.

The root cause is simple: the account object has a flag set to ACCOUNTDISABLE. Windows checks this flag during logon, and if it's set, it blocks you cold. No amount of password resets or reboots will fix it — you need to toggle that flag back to enabled.

Fix It in Four Steps

Pick the method that matches your situation. If you're on a domain, you need an admin to do this. If it's a local account, you can do it yourself if you have another admin account or safe mode.

Re-enable in Active Directory (Domain Users)
Have a domain admin open Active Directory Users and Computers (dsa.msc). Find your user object, right-click, select Properties. On the Account tab, uncheck Account is disabled. Click OK. That's it — try logging in again. If you can't reach an admin, escalate to IT.
Use Local Users and Groups (Local Accounts)
If you have another admin account on the same machine, log in with that. Press Win + R, type lusrmgr.msc, hit Enter. Find your disabled account under Users, double-click it, uncheck Account is disabled, click OK. No second admin? Skip to step 3.
Safe Mode with Command Prompt (No Admin Access)
This works even if you're locked out. Boot the machine and press F8 repeatedly before Windows loads (or hold Shift while clicking Restart in the login screen recovery menu). Choose Safe Mode with Command Prompt. At the prompt, type:
```
net user yourusername /active:yes
```
Replace yourusername with your actual account name. Press Enter. You'll see The command completed successfully. Reboot normally and log in. I've used this on dozens of machines running Windows 10 22H2 — it's reliable.
For Domain Accounts: Use PowerShell Remotely
If you have remote admin access to a domain controller, run PowerShell as admin and use:
```
Enable-ADAccount -Identity "DOMAIN\username"
```
This is faster than clicking through the GUI, especially if you have multiple disabled accounts.

What to Check If It Still Fails

If the error persists after re-enabling, here's the shortlist:

Check the account expiration date. In AD, go to the Account tab and make sure Account expires is set to Never. An expired account acts like a disabled one.
Verify the logon hours. Click Logon Hours in the same tab. If your current time is outside the allowed range, you'll get this error. Set them to All if needed.
Look for group policy conflicts. A GPO might be disabling accounts automatically after failed attempts. Run gpresult /h gp.html in an admin command prompt to review applied policies.
Test with a different account. If another user can log in on that machine, the issue is account-specific. If nobody can log in, the computer account itself might be disabled in AD — that's a different error code, though.

One last thing: if you're the admin who accidentally disabled your own account (yes, I've done it), use Safe Mode with the built-in Administrator account. Boot to safe mode, log in as Administrator with the default password (or your recent one), then re-enable your account. That built-in account is usually the only one that survives a self-inflicted disable.

This error is frustrating but trivial once you know the flag. You're not locked out forever — just until someone checks that box.