diff --git a/migrations/20200214051201-domains-drop-locked.js b/migrations/20200214051201-domains-drop-locked.js
new file mode 100644
index 000000000..115e50217
--- /dev/null
+++ b/migrations/20200214051201-domains-drop-locked.js
@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE domains DROP COLUMN locked', function (error) {
+        if (error) return callback(error);
+
+        callback();
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE domains ADD COLUMN locked BOOLEAN DEFAULT 0', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
diff --git a/migrations/schema.sql b/migrations/schema.sql
index f3a2ab035..f209c4ee1 100644
--- a/migrations/schema.sql
+++ b/migrations/schema.sql
@@ -142,7 +142,6 @@ CREATE TABLE IF NOT EXISTS domains(
     provider VARCHAR(16) NOT NULL,
     configJson TEXT, /* JSON containing the dns backend provider config */
     tlsConfigJson TEXT, /* JSON containing the tls provider config */
-    locked BOOLEAN,
 
     PRIMARY KEY (domain))
 
diff --git a/src/domaindb.js b/src/domaindb.js
index f19e69e96..3221f11ee 100644
--- a/src/domaindb.js
+++ b/src/domaindb.js
@@ -16,7 +16,7 @@ var assert = require('assert'),
     database = require('./database.js'),
     safe = require('safetydance');
 
-var DOMAINS_FIELDS = [ 'domain', 'zoneName', 'provider', 'configJson', 'tlsConfigJson', 'locked' ].join(',');
+var DOMAINS_FIELDS = [ 'domain', 'zoneName', 'provider', 'configJson', 'tlsConfigJson' ].join(',');
 
 function postProcess(data) {
     data.config = safe.JSON.parse(data.configJson);
@@ -24,8 +24,6 @@ function postProcess(data) {
     delete data.configJson;
     delete data.tlsConfigJson;
 
-    data.locked = !!data.locked; // make it bool
-
     return data;
 }
 
diff --git a/src/domains.js b/src/domains.js
index f047373b1..5a31be361 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -441,13 +441,13 @@ function waitForDnsRecord(location, domain, type, value, options, callback) {
 
 // removes all fields that are strictly private and should never be returned by API calls
 function removePrivateFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate', 'locked');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate');
     return api(result.provider).removePrivateFields(result);
 }
 
 // removes all fields that are not accessible by a normal user
 function removeRestrictedFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'locked');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider');
 
     // always ensure config object
     result.config = { hyphenatedSubdomains: !!domain.config.hyphenatedSubdomains };
diff --git a/src/routes/domains.js b/src/routes/domains.js
index 4e63455f2..58413dd95 100644
--- a/src/routes/domains.js
+++ b/src/routes/domains.js
@@ -8,8 +8,6 @@ exports = module.exports = {
     del: del,
 
     checkDnsRecords: checkDnsRecords,
-
-    verifyDomainLock: verifyDomainLock
 };
 
 var assert = require('assert'),
@@ -19,18 +17,6 @@ var assert = require('assert'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess;
 
-function verifyDomainLock(req, res, next) {
-    assert.strictEqual(typeof req.params.domain, 'string');
-
-    domains.get(req.params.domain, function (error, domain) {
-        if (error) return next(BoxError.toHttpError(error));
-
-        if (domain.locked) return next(new HttpError(423, 'This domain is locked'));
-
-        next();
-    });
-}
-
 function add(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
@@ -159,4 +145,4 @@ function checkDnsRecords(req, res, next) {
 
         next(new HttpSuccess(200, { needsOverwrite: result.needsOverwrite }));
     });
-}
\ No newline at end of file
+}
diff --git a/src/routes/test/domains-test.js b/src/routes/test/domains-test.js
index 2f36a2bea..5f850a72a 100644
--- a/src/routes/test/domains-test.js
+++ b/src/routes/test/domains-test.js
@@ -213,49 +213,6 @@ describe('Domains API', function () {
         });
     });
 
-    describe('locked', function () {
-        before(function (done) {
-            domaindb.update(DOMAIN_0.domain, { locked: true }, done);
-        });
-
-        after(function (done) {
-            domaindb.update(DOMAIN_0.domain, { locked: false }, done);
-        });
-
-        it('can list the domains', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/domains')
-                .query({ access_token: token })
-                .end(function (error, result) {
-                    expect(result.statusCode).to.equal(200);
-                    expect(result.body.domains).to.be.an(Array);
-                    expect(result.body.domains.length).to.equal(2);
-
-                    expect(result.body.domains[0].domain).to.equal(DOMAIN_0.domain);
-                    expect(result.body.domains[1].domain).to.equal(DOMAIN_1.domain);
-
-                    done();
-                });
-        });
-
-        it('cannot get locked domain', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
-                .query({ access_token: token })
-                .end(function (error, result) {
-                    expect(result.statusCode).to.equal(423);
-                    done();
-                });
-        });
-
-        it('cannot delete locked domain', function (done) {
-            superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
-                .query({ access_token: token })
-                .end(function (error, result) {
-                    expect(result.statusCode).to.equal(423);
-                    done();
-                });
-        });
-    });
-
     describe('delete', function () {
         it('fails for non-existing domain', function (done) {
             superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain + DOMAIN_0.domain)
diff --git a/src/server.js b/src/server.js
index db276f526..b30cb8e3c 100644
--- a/src/server.js
+++ b/src/server.js
@@ -82,8 +82,6 @@ function initializeExpressSync() {
     const authorizeAdmin = routes.accesscontrol.authorize(accesscontrol.ROLE_ADMIN);
     const authorizeUser = routes.accesscontrol.authorize(accesscontrol.ROLE_USER);
 
-    const verifyDomainLock = routes.domains.verifyDomainLock;
-
     // public routes
     router.post('/api/v1/cloudron/setup', routes.provision.providerTokenAuth, routes.provision.setup);    // only available until no-domain
     router.post('/api/v1/cloudron/restore', routes.provision.restore);    // only available until activated
@@ -272,9 +270,9 @@ function initializeExpressSync() {
     // domain routes
     router.post('/api/v1/domains', token, authorizeAdmin, routes.domains.add);
     router.get ('/api/v1/domains', token, authorizeUser, routes.domains.getAll);
-    router.get ('/api/v1/domains/:domain', token, authorizeAdmin, verifyDomainLock, routes.domains.get);  // this is manage scope because it returns non-restricted fields
-    router.put ('/api/v1/domains/:domain', token, authorizeAdmin, verifyDomainLock, routes.domains.update);
-    router.del ('/api/v1/domains/:domain', token, authorizeAdmin, verifyDomainLock, routes.domains.del);
+    router.get ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.get);  // this is manage scope because it returns non-restricted fields
+    router.put ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.update);
+    router.del ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.del);
     router.get ('/api/v1/domains/:domain/dns_check', token, authorizeAdmin, routes.domains.checkDnsRecords);
 
     // addon routes