How do I unlock Active Directory users with a bulk transaction

Is there any way to unlock many Active directory users at one time.
I tried select them - right mouse click - clicked unlock. It did not work.
Could it be used adfind or any command?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
This can be done with Powershell, but the challenge is with what accounts you want to unlock.  There are 2 commands to use:

1. Search-ADAccount
2. Unlock-ADAccount

Both should be obvious in what they do.

If you want to just find all LockedOut accounts and then unlock them, it is pretty much straight forward"

Search-ADAccount -UsersOnly -LockedOut | Unlock=ADAccount

Open in new window

This would unlock all locked out account in the current logon domain.

Search-ADAccount -UsersOnly -LockedOut -SearchBase "OU=Office1,OU=Company",DC=DomainName,DC=Extension" | Unlock=ADAccount

Open in new window

This would unlock only locked out account in the Office1 OU under the Company OU in the domain DomainName.Extension.

You could dump the results from the Search command into a file, edit the file, then have the Unlock command use the edited file as input for which accounts to unlock.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Raheman M. AbdulSenior Infrastructure Support Analyst & Systems DeveloperCommented:
Try this to unlock all accounts in

GET-ADUSER –filter * –searchbase ‘CN=Department,CN=London,DC=EU,DC=Local’ | UNLOCK-ADACCOUNT

To Unlocks the account with SamAccountName: Abdul
   Unlock-ADAccount -Identity Abdul

To  Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,

 Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAcco
Dan McFaddenSystems EngineerCommented:
There is a typo in my post above.  The Unlock command as an equals sign in it where it should be a dash.

This:  Unlock=ADAccount

Should be:  Unlock-ADAccount

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

certuranAuthor Commented:
Dear McFadden, your commands worked. However there is an interesting case I think.
First I searched the LockedOut users. Result has given 3 users. When I create a query from the active directory menus, it is giving more than 40 users LockedOut. So when I did Unlock-ADAccount, it only did for 3 users. But I know that the other users those I found with the query still can not logon to domain. So which attribute should I check and if I inform you you can really understand whether the user is lockedOut or not.

Dear Abdul,
In your command can you tell me exactly LockedOut user filtering instead of "filter *"
Dan McFaddenSystems EngineerCommented:
When you look at one of these other accounts with AD Users & Computers, do you see any account attributes that are on or off that should be in either off or on?

The accounts could be expired or disabled.  Also, did you search across the entire domain or only in a specific OU?

You could try these search commands to try to find out:

Search-ADAccount -UsersOnly -AccountDisabled | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -AccountExpired | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -PasswordExpired | select name,samaccountname | out-gridview

Open in new window

You can a count by using the following:

(Search-ADAccount -UsersOnly -AccountDisabled).count
(Search-ADAccount -UsersOnly -AccountExpired).count
(Search-ADAccount -UsersOnly -PasswordExpired).count

Open in new window

Joshua GrantomSenior Systems AdministratorCommented:
If you want to see the results of the command, add passthru. Also, just use server if you want to search the entire domain

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -Server –LockedOut | Unlock-ADAccount -Passthru

Open in new window

Is it possible the other locked user account are in an OU that was outside of you initial scope in your script?
Dan McFaddenSystems EngineerCommented:
The scope of the powershell command was the whole domain.  When the "SearchBase" option is not explicitly defined, the command defaults to the root of the domain that the current user is in.  So the scope searches all partitions of AD.

Reference Link:

So I do not believe the issue is the search base (scope).

I'm interested is seeing the results of the count commands I suggested as well as the output of this command run against one of the other accounts:

Get-ADUser -Identity UserName -Properties * | Out-File ExampleUser.txt

Open in new window

Just replace the UserName with a valid domain username.

Dan McFaddenSystems EngineerCommented:
We're you able to run the additional commands?  The results may help provide a solution.

certuranAuthor Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.