Solved

A script to unlock the AD account.

Posted on 2011-03-02
11
1,445 Views
Last Modified: 2012-06-27
A script to unlock the AD account.
I would like to have  a windows script that a specific user can click on to unlock his Active Directory account.
This user  works during Odd hours an no administrator  is available to unlock his AD account.
And also wantto know what kind of permissions that this user will have to achieve this.

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 8

Assisted Solution

by:afthab
afthab earned 250 total points
ID: 35024633
HI,

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24912703.html

The below tool can provide the feature :

ADSelfService Password management
http://www.manageengine.com/products/self-service-password/
Toll Free: +1-888-720-9500
0
 
LVL 8

Assisted Solution

by:afthab
afthab earned 250 total points
ID: 35024637
0
 
LVL 5

Accepted Solution

by:
NotVeryFat earned 250 total points
ID: 35025681
Save the below as a .vbs file:
If WScript.Arguments.Count = 1 Then
	struser= WScript.Arguments(0)
	Set objUser = GetObject("LDAP://" & struser)
	objUser.IsAccountLocked = False
	objUser.SetInfo
end if

Open in new window


Then run it as filename.vbs LDAP string of user to unlock
e.g. unlockuser.vbs "CN=Smith\, John,OU=domain,OU=com"
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 
LVL 5

Assisted Solution

by:NotVeryFat
NotVeryFat earned 250 total points
ID: 35025691
Sorry, correction. Above should read

unlockuser.vbs "CN=Smith\, John,OU=Users,dc=domain,dc=com"
0
 

Author Comment

by:jskfan
ID: 35025773
NotVeryFat:
I run your script but it has done anything
0
 

Author Comment

by:jskfan
ID: 35025797
afthab:

I get this message
Error Unlocking Username On Domainname
0
 

Author Comment

by:jskfan
ID: 35025819
I checked the Active Directory policy
and found this:

Account lockout duration 1440 minutes
Account lockout threshold 6 invalid logon attempts
Reset account lockout counter after 15 minutes

what does each line mean?
I also noticed if I mistype my password just one time instead of 6 as it is indicated in the policy, I got my account locked out
0
 
LVL 5

Assisted Solution

by:NotVeryFat
NotVeryFat earned 250 total points
ID: 35028044
I'm not sure a user can unlock their own account, whatever their priviliges. In order to unlock an account, you need to authenticate with an LDAP server. If the account's locked, then the authentication will fail...
0
 
LVL 8

Assisted Solution

by:afthab
afthab earned 250 total points
ID: 35033802
Account lockout duration : Determines the number of minutes a locked out account remains locked out before automatically becoming unlocked. The range is 1 to 99999 minutes. You can specify that the account will be locked out until an administrator explicitly unlocks it by setting the value to 0.

Account Lockout Threshold : Determines the number of failed logon attempts that will cause a user account to be locked out. A locked out account cannot be used until it is reset by an administrator or the account lockout duration has expired. You can set values between 1 and 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0.

Reset account lockout Counter After: Determines the number of minutes that must elapse after a failed logon attempt before the bad logon attempt counter is reset to 0 bad logons. The range is 1 to 99999 minutes.

Can you check with the corresponding events when the account lockout occur ?

0
 

Author Comment

by:jskfan
ID: 35080770
Account lockout duration 1440 minutes

in my case , does that mean after 24hours I will be able to login ...
of course, after entering the right user name and password ????????
0
 

Author Closing Comment

by:jskfan
ID: 35213023
thanks
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question