Automated Active Directory Credential Unlock/Reset

Posted on 2010-01-08
Last Modified: 2012-06-27
We have over 150 restaurant locations, +100 field users and +100 Corporate Office users in our company that have domain user accounts. We constantly have issues with users being locked out of their account due to excessive incorrect logins. One reason being that there is such a high turnover rate in staff at the restaurants and the other is some of these people aren't the brightest people out there. We don't really have the option of using the auto unlock feature after a set time due to security standards that must be met. It would be great if there was some automated way we could have an automated unlock request form on our website that would reset their domain password after answering a series of security questions or other security check points. I am aware that there are probably several third party solutions that are available to achieve this task.The biggest challenge faced is the same as all other company's, budget constraints. If anyone knows of any way to achieve this with either low/no additional software purchasing, i would greatly appreciate it. I don't really mind spending alot of labor hours in the beginning to set this up if it will be pretty automated down the road.
Question by:rza123
    LVL 5

    Accepted Solution

    This trouble can be easily addressed by writing an ASP.NET page which will do the task.

    In ASP.NET Code, using System.DirectoryServices namespace you can easily write a code that will unlock a user provided exact user name and domain name is available.

    Following is the C# function that will do the task.

    In the arguments, the values should be supplied as follows:

    path: Fully Qualified LDAP path to the user which you want to unlock
    loginname: User name with which you want to login to server to unlock above mentioned user (in path).
    loginpassword: Password for above User.

                public bool UnlockUser(string path, string loginUserName, string loginPassword)
                      bool isPasswordSet = false;

                            DirectoryEntry thisUser = new DirectoryEntry(path, loginUserName, loginPassword);
                            thisUser.Properties["LockOutTime"].Value = 0x0000;

                            isPasswordSet = true;
                      catch (Exception)

                      return isPasswordSet;
    LVL 4

    Assisted Solution

    You can also download ADSelfService Plus to perform the automatic password reset task.
    This software is available for 30 days trial.

    Chandar Singh

    Author Comment

    I will give both of these solutions a try when I get back in the office tomorrow morning. More than likely, the third party app may work better since all of our intranet pages are password protected and we do not have any web sites out on the internet that are accessible without VPN access, which would require the user to enter their domain credentials.

    Author Closing Comment

    I wasn't able to use either solution in our environment but it wasn't because these were not viable solutions.

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Join & Write a Comment

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now