When configuration on DLP Enforce is with AD-controlled users, all the password control options are from AD (no password resets in Enforce as it is synced with AD and passwords set in AD).

Is there an option to unlock users in Enforce console that were locked out of Enforce console login?

Release : 15.8.x

Option: Account Disabled is selected detail below from 15.8 Help Center guide page 361:

Instructions: Select this option to lock the user out of the Enforce Server administration console. This option disables access for the user account regardless of which authentication mechanism you use. For security, after a certain number of consecutive failed logon attempts, the system automatically disables the account and locks out the user. In this case the Account Disabled option is checked. To reinstate the user account and allow the user to log on to the system, clear this option by unchecking it.

To unlock user account that is locked using following option in DLP Enforce console:

1) Login to Enforce Web Console as Administrator (or admin user).

2) Navigate to System>Login Management>DLP Users.

3) Select Users account you want to unlock.

4) Uncheck box for "Account Disabled"

5) Save.

15.8 Help Center Guide:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/symantec-security-software/information-security/data-loss-prevention/Symantec-Data-Loss-Prevention-Help-Center_15.8.pdf