Description
If you have the option "Enable password expiry" under "Authentication-Passwords-User Password Change Policy" enabled, then a user will be locked out after password remains unchanged for more than the configured "Maximum password age".
Problem:
When an administrator unlocks a "locked out" user without changing the user's password, the user will be locked out again during the next password expiration check, which runs every 24 hours.
Solution
To avoid this problem, either
1.Disable "Enable password expiry" under "Authentication-Passwords-User Password Change Policy" .
or
2. Be sure to change a user's password after unlocking the user.
See "Configuring password recovery options" in the FortiAuthenticator Administration Guide.