Solved

How do I unlock Active Directory users with a bulk transaction

Posted on 2014-11-14
11
100 Views
Last Modified: 2015-06-16
Is there any way to unlock many Active directory users at one time.
I tried select them - right mouse click - clicked unlock. It did not work.
Could it be used adfind or any command?
0
Comment
Question by:certuran
11 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 250 total points
ID: 40442151
This can be done with Powershell, but the challenge is with what accounts you want to unlock.  There are 2 commands to use:

1. Search-ADAccount
2. Unlock-ADAccount

Both should be obvious in what they do.

If you want to just find all LockedOut accounts and then unlock them, it is pretty much straight forward"

Search-ADAccount -UsersOnly -LockedOut | Unlock=ADAccount

Open in new window


This would unlock all locked out account in the current logon domain.

Search-ADAccount -UsersOnly -LockedOut -SearchBase "OU=Office1,OU=Company",DC=DomainName,DC=Extension" | Unlock=ADAccount

Open in new window


This would unlock only locked out account in the Office1 OU under the Company OU in the domain DomainName.Extension.

You could dump the results from the Search command into a file, edit the file, then have the Unlock command use the edited file as input for which accounts to unlock.

Dan
0
 
LVL 18

Assisted Solution

by:Raheman M. Abdul
Raheman M. Abdul earned 150 total points
ID: 40442157
Try this to unlock all accounts in

GET-ADUSER –filter * –searchbase ‘CN=Department,CN=London,DC=EU,DC=Local’ | UNLOCK-ADACCOUNT

To Unlocks the account with SamAccountName: Abdul
   Unlock-ADAccount -Identity Abdul

To  Unlocks the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,
 OU=UserAccounts,DC=FABRIKAM,DC=COM".

 Unlock-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAcco
 unts,DC=FABRIKAM,DC=COM"
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40442163
There is a typo in my post above.  The Unlock command as an equals sign in it where it should be a dash.

This:  Unlock=ADAccount

Should be:  Unlock-ADAccount

Dan
0
 

Author Comment

by:certuran
ID: 40442358
Dear McFadden, your commands worked. However there is an interesting case I think.
First I searched the LockedOut users. Result has given 3 users. When I create a query from the active directory menus, it is giving more than 40 users LockedOut. So when I did Unlock-ADAccount, it only did for 3 users. But I know that the other users those I found with the query still can not logon to domain. So which attribute should I check and if I inform you you can really understand whether the user is lockedOut or not.

Dear Abdul,
In your command can you tell me exactly LockedOut user filtering instead of "filter *"
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40442407
When you look at one of these other accounts with AD Users & Computers, do you see any account attributes that are on or off that should be in either off or on?

The accounts could be expired or disabled.  Also, did you search across the entire domain or only in a specific OU?

You could try these search commands to try to find out:

Search-ADAccount -UsersOnly -AccountDisabled | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -AccountExpired | select name,samaccountname | out-gridview
Search-ADAccount -UsersOnly -PasswordExpired | select name,samaccountname | out-gridview

Open in new window


You can a count by using the following:

(Search-ADAccount -UsersOnly -AccountDisabled).count
(Search-ADAccount -UsersOnly -AccountExpired).count
(Search-ADAccount -UsersOnly -PasswordExpired).count

Open in new window


Dan
0
 
LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 100 total points
ID: 40443665
If you want to see the results of the command, add passthru. Also, just use server if you want to search the entire domain

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -Server mydomain.com –LockedOut | Unlock-ADAccount -Passthru

Open in new window

0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40444956
Is it possible the other locked user account are in an OU that was outside of you initial scope in your script?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40446742
The scope of the powershell command was the whole domain.  When the "SearchBase" option is not explicitly defined, the command defaults to the root of the domain that the current user is in.  So the scope searches all partitions of AD.

Reference Link:  http://technet.microsoft.com/en-us/library/ee617247.aspx

So I do not believe the issue is the search base (scope).

I'm interested is seeing the results of the count commands I suggested as well as the output of this command run against one of the other accounts:

Get-ADUser -Identity UserName -Properties * | Out-File ExampleUser.txt

Open in new window


Just replace the UserName with a valid domain username.

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40470397
We're you able to run the additional commands?  The results may help provide a solution.

Dan
0
 

Author Closing Comment

by:certuran
ID: 40833387
Thank you.
0

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now