How do I unlock Active Directory users with a bulk transaction

Posted on 2014-11-14
Last Modified: 2015-06-16
Is there any way to unlock many Active directory users at one time.
I tried select them - right mouse click - clicked unlock. It did not work.
Could it be used adfind or any command?
Question by:certuran
LVL 26

Accepted Solution

Dan McFadden earned 250 total points
ID: 40442151
This can be done with Powershell, but the challenge is with what accounts you want to unlock.  There are 2 commands to use:

1. Search-ADAccount
2. Unlock-ADAccount

Both should be obvious in what they do.

If you want to just find all LockedOut accounts and then unlock them, it is pretty much straight forward"

Search-ADAccount -UsersOnly -LockedOut | Unlock=ADAccount

Open in new window

This would unlock all locked out account in the current logon domain.

Search-ADAccount -UsersOnly -LockedOut -SearchBase "OU=Office1,OU=Company",DC=DomainName,DC=Extension" | Unlock=ADAccount

Open in new window

This would unlock only locked out account in the Office1 OU under the Company OU in the domain DomainName.Extension.

You could dump the results from the Search command into a file, edit the file, then have the Unlock command use the edited file as input for which accounts to unlock.

LVL 18

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 150 total points
ID: 40442157
Try this to unlock all accounts in

GET-ADUSER –filter * –searchbase ‘CN=Department,CN=London,DC=EU,DC=Local’ | UNLOCK-ADACCOUNT

To Unlocks the account with SamAccountName: Abdul
   Unlock-ADAccount -Identity Abdul

To  Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,

 Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAcco
LVL 26

Expert Comment

by:Dan McFadden
ID: 40442163
There is a typo in my post above.  The Unlock command as an equals sign in it where it should be a dash.

This:  Unlock=ADAccount

Should be:  Unlock-ADAccount


Author Comment

ID: 40442358
Dear McFadden, your commands worked. However there is an interesting case I think.
First I searched the LockedOut users. Result has given 3 users. When I create a query from the active directory menus, it is giving more than 40 users LockedOut. So when I did Unlock-ADAccount, it only did for 3 users. But I know that the other users those I found with the query still can not logon to domain. So which attribute should I check and if I inform you you can really understand whether the user is lockedOut or not.

Dear Abdul,
In your command can you tell me exactly LockedOut user filtering instead of "filter *"
LVL 26

Expert Comment

by:Dan McFadden
ID: 40442407
When you look at one of these other accounts with AD Users & Computers, do you see any account attributes that are on or off that should be in either off or on?

The accounts could be expired or disabled.  Also, did you search across the entire domain or only in a specific OU?

You could try these search commands to try to find out:

Search-ADAccount -UsersOnly -AccountDisabled | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -AccountExpired | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -PasswordExpired | select name,samaccountname | out-gridview

Open in new window

You can a count by using the following:

(Search-ADAccount -UsersOnly -AccountDisabled).count
(Search-ADAccount -UsersOnly -AccountExpired).count
(Search-ADAccount -UsersOnly -PasswordExpired).count

Open in new window

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 100 total points
ID: 40443665
If you want to see the results of the command, add passthru. Also, just use server if you want to search the entire domain

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -Server –LockedOut | Unlock-ADAccount -Passthru

Open in new window

LVL 19

Expert Comment

ID: 40444956
Is it possible the other locked user account are in an OU that was outside of you initial scope in your script?
LVL 26

Expert Comment

by:Dan McFadden
ID: 40446742
The scope of the powershell command was the whole domain.  When the "SearchBase" option is not explicitly defined, the command defaults to the root of the domain that the current user is in.  So the scope searches all partitions of AD.

Reference Link:

So I do not believe the issue is the search base (scope).

I'm interested is seeing the results of the count commands I suggested as well as the output of this command run against one of the other accounts:

Get-ADUser -Identity UserName -Properties * | Out-File ExampleUser.txt

Open in new window

Just replace the UserName with a valid domain username.

LVL 26

Expert Comment

by:Dan McFadden
ID: 40470397
We're you able to run the additional commands?  The results may help provide a solution.


Author Closing Comment

ID: 40833387
Thank you.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now