Solved

How do I unlock Active Directory users with a bulk transaction

Posted on 2014-11-14
11
153 Views
Last Modified: 2015-06-16
Is there any way to unlock many Active directory users at one time.
I tried select them - right mouse click - clicked unlock. It did not work.
Could it be used adfind or any command?
0
Comment
Question by:certuran
11 Comments
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 250 total points
ID: 40442151
This can be done with Powershell, but the challenge is with what accounts you want to unlock.  There are 2 commands to use:

1. Search-ADAccount
2. Unlock-ADAccount

Both should be obvious in what they do.

If you want to just find all LockedOut accounts and then unlock them, it is pretty much straight forward"

Search-ADAccount -UsersOnly -LockedOut | Unlock=ADAccount

Open in new window


This would unlock all locked out account in the current logon domain.

Search-ADAccount -UsersOnly -LockedOut -SearchBase "OU=Office1,OU=Company",DC=DomainName,DC=Extension" | Unlock=ADAccount

Open in new window


This would unlock only locked out account in the Office1 OU under the Company OU in the domain DomainName.Extension.

You could dump the results from the Search command into a file, edit the file, then have the Unlock command use the edited file as input for which accounts to unlock.

Dan
0
 
LVL 18

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 150 total points
ID: 40442157
Try this to unlock all accounts in

GET-ADUSER –filter * –searchbase ‘CN=Department,CN=London,DC=EU,DC=Local’ | UNLOCK-ADACCOUNT

To Unlocks the account with SamAccountName: Abdul
   Unlock-ADAccount -Identity Abdul

To  Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,
 OU=UserAccounts,DC=FABRIKAM,DC=COM".

 Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAcco
 unts,DC=FABRIKAM,DC=COM"
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40442163
There is a typo in my post above.  The Unlock command as an equals sign in it where it should be a dash.

This:  Unlock=ADAccount

Should be:  Unlock-ADAccount

Dan
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:certuran
ID: 40442358
Dear McFadden, your commands worked. However there is an interesting case I think.
First I searched the LockedOut users. Result has given 3 users. When I create a query from the active directory menus, it is giving more than 40 users LockedOut. So when I did Unlock-ADAccount, it only did for 3 users. But I know that the other users those I found with the query still can not logon to domain. So which attribute should I check and if I inform you you can really understand whether the user is lockedOut or not.

Dear Abdul,
In your command can you tell me exactly LockedOut user filtering instead of "filter *"
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40442407
When you look at one of these other accounts with AD Users & Computers, do you see any account attributes that are on or off that should be in either off or on?

The accounts could be expired or disabled.  Also, did you search across the entire domain or only in a specific OU?

You could try these search commands to try to find out:

Search-ADAccount -UsersOnly -AccountDisabled | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -AccountExpired | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -PasswordExpired | select name,samaccountname | out-gridview

Open in new window


You can a count by using the following:

(Search-ADAccount -UsersOnly -AccountDisabled).count
(Search-ADAccount -UsersOnly -AccountExpired).count
(Search-ADAccount -UsersOnly -PasswordExpired).count

Open in new window


Dan
0
 
LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 100 total points
ID: 40443665
If you want to see the results of the command, add passthru. Also, just use server if you want to search the entire domain

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -Server mydomain.com –LockedOut | Unlock-ADAccount -Passthru

Open in new window

0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40444956
Is it possible the other locked user account are in an OU that was outside of you initial scope in your script?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40446742
The scope of the powershell command was the whole domain.  When the "SearchBase" option is not explicitly defined, the command defaults to the root of the domain that the current user is in.  So the scope searches all partitions of AD.

Reference Link:  http://technet.microsoft.com/en-us/library/ee617247.aspx

So I do not believe the issue is the search base (scope).

I'm interested is seeing the results of the count commands I suggested as well as the output of this command run against one of the other accounts:

Get-ADUser -Identity UserName -Properties * | Out-File ExampleUser.txt

Open in new window


Just replace the UserName with a valid domain username.

Dan
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40470397
We're you able to run the additional commands?  The results may help provide a solution.

Dan
0
 

Author Closing Comment

by:certuran
ID: 40833387
Thank you.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question