How do I unlock Active Directory users with a bulk transaction

Posted on 2014-11-14
Last Modified: 2015-06-16
Is there any way to unlock many Active directory users at one time.
I tried select them - right mouse click - clicked unlock. It did not work.
Could it be used adfind or any command?
Question by:certuran
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 28

Accepted Solution

Dan McFadden earned 250 total points
ID: 40442151
This can be done with Powershell, but the challenge is with what accounts you want to unlock.  There are 2 commands to use:

1. Search-ADAccount
2. Unlock-ADAccount

Both should be obvious in what they do.

If you want to just find all LockedOut accounts and then unlock them, it is pretty much straight forward"

Search-ADAccount -UsersOnly -LockedOut | Unlock=ADAccount

Open in new window

This would unlock all locked out account in the current logon domain.

Search-ADAccount -UsersOnly -LockedOut -SearchBase "OU=Office1,OU=Company",DC=DomainName,DC=Extension" | Unlock=ADAccount

Open in new window

This would unlock only locked out account in the Office1 OU under the Company OU in the domain DomainName.Extension.

You could dump the results from the Search command into a file, edit the file, then have the Unlock command use the edited file as input for which accounts to unlock.

LVL 19

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 150 total points
ID: 40442157
Try this to unlock all accounts in

GET-ADUSER –filter * –searchbase ‘CN=Department,CN=London,DC=EU,DC=Local’ | UNLOCK-ADACCOUNT

To Unlocks the account with SamAccountName: Abdul
   Unlock-ADAccount -Identity Abdul

To  Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,

 Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAcco
LVL 28

Expert Comment

by:Dan McFadden
ID: 40442163
There is a typo in my post above.  The Unlock command as an equals sign in it where it should be a dash.

This:  Unlock=ADAccount

Should be:  Unlock-ADAccount

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.


Author Comment

ID: 40442358
Dear McFadden, your commands worked. However there is an interesting case I think.
First I searched the LockedOut users. Result has given 3 users. When I create a query from the active directory menus, it is giving more than 40 users LockedOut. So when I did Unlock-ADAccount, it only did for 3 users. But I know that the other users those I found with the query still can not logon to domain. So which attribute should I check and if I inform you you can really understand whether the user is lockedOut or not.

Dear Abdul,
In your command can you tell me exactly LockedOut user filtering instead of "filter *"
LVL 28

Expert Comment

by:Dan McFadden
ID: 40442407
When you look at one of these other accounts with AD Users & Computers, do you see any account attributes that are on or off that should be in either off or on?

The accounts could be expired or disabled.  Also, did you search across the entire domain or only in a specific OU?

You could try these search commands to try to find out:

Search-ADAccount -UsersOnly -AccountDisabled | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -AccountExpired | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -PasswordExpired | select name,samaccountname | out-gridview

Open in new window

You can a count by using the following:

(Search-ADAccount -UsersOnly -AccountDisabled).count
(Search-ADAccount -UsersOnly -AccountExpired).count
(Search-ADAccount -UsersOnly -PasswordExpired).count

Open in new window

LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 100 total points
ID: 40443665
If you want to see the results of the command, add passthru. Also, just use server if you want to search the entire domain

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -Server –LockedOut | Unlock-ADAccount -Passthru

Open in new window

LVL 20

Expert Comment

ID: 40444956
Is it possible the other locked user account are in an OU that was outside of you initial scope in your script?
LVL 28

Expert Comment

by:Dan McFadden
ID: 40446742
The scope of the powershell command was the whole domain.  When the "SearchBase" option is not explicitly defined, the command defaults to the root of the domain that the current user is in.  So the scope searches all partitions of AD.

Reference Link:

So I do not believe the issue is the search base (scope).

I'm interested is seeing the results of the count commands I suggested as well as the output of this command run against one of the other accounts:

Get-ADUser -Identity UserName -Properties * | Out-File ExampleUser.txt

Open in new window

Just replace the UserName with a valid domain username.

LVL 28

Expert Comment

by:Dan McFadden
ID: 40470397
We're you able to run the additional commands?  The results may help provide a solution.


Author Closing Comment

ID: 40833387
Thank you.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question