Query - Powershell Script formatting for Unlock single AD User Account

Hi All,

I have the below working script, though would like to pick some experts brains please.

A)Is there anything wrong, i.e, can I cause harm/damage if I am running the "Unlock-AD" if the actual account isn't even locked?

eg, should it include something like - If Username is locked, then Unlock?

B)Is the below formatting OK, or is there a better "Preferred/Recommended" way I should be using?

C)As I work in 1st/2nd Line Support I often get calls for AD unlocks, any other suggestions I should be running this script to make it more efficient

eg, does anyone use a script to search for surname and first name to pick up female name changes etc instead of by username or how else do others do their environment?


Import-Module ActiveDirectory

$Credentials = Get-Credential $UserName = Read-Host "Enter in the Username to check"

Get-ADUser $UserName -Properties Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired `
| Select-Object -Property Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired

Unlock-ADAccount $UserName -Credential $Credentials

Open in new window

IT_Support PrivateAsked:
Who is Participating?
MilesLoganConnect With a Mentor Commented:
something like this may help ... user calls that their domain account is locked .. enter their user name and if it was locked . then it will unlock it.
If it was not locked and after you tell them to try again they still can't log in .. then yeah .. the call just got longer :)

Import-Module -Name ActiveDirectory
$AccounToUnlock = Read-Host -Prompt 'Enter account to unlock'
Get-ADUser -Identity $AccounToUnlock  | Unlock-ADAccount
Write-Host ('See {0} locked out status below' -f $AccountoUnlock) -ForegroundColor Green -NoNewline
Get-ADUser -Identity $AccounToUnlock | Get-ADUser -Properties SamaccountName,Lockedout | Select-Object -Property SamaccountName,Lockedout

Open in new window

David Johnson, CD, MVPOwnerCommented:
If it is not locked then unlocking doesn't do anything
Jose Gabriel Ortega CCEO J0rt3g4 Consulting ServicesCommented:
David answered A.

What about making it a real script.

Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount

Open in new window

Save it as Unlocker.ps1

And run it like:
.\Unlocker.ps1 -username "UserNameToUnlock"

You won't require credentials if you're a domain admin.
If you don't you would require it. so...

$creds = Get-Credential
Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount -credential $creds

Open in new window

IT_Support PrivateAuthor Commented:
Thanks all for the advice. Much appreciated.
Shaun VermaakTechnical Specialist/DeveloperCommented:
I added unlock option to my Password Reset Tool if you would like to test it
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.