When configuration on DLP Enforce is with AD-controlled users, all the password control options are from AD (no password resets in Enforce as it is synced with AD and passwords set in AD).

Is there an option to unlock users in Enforce console that were locked out of Enforce console login?

To unlock user account that is locked using following option in DLP Enforce console:

1.  Login to Enforce Web Console as Administrator (or admin user).
2.  Navigate to System>Login Management>DLP Users.
3.  Select the Users account you want to unlock.
4.  Uncheck the box for "Account Disabled"
5.  Click Save.

This is also documented in our Tech Doc:
Configuring user accounts

Account Disabled:

Select this option to lock the user out of the Enforce Server administration console. This option disables access for the user account regardless of which authentication mechanism you use.
For security, after a certain number of consecutive failed logon attempts, the system automatically disables the account and locks out the user. In this case the Account Disabled option is checked. To reinstate the user account and allow the user to log on to the system, clear this option by unchecking it.