Query - Powershell Script formatting for Unlock single AD User Account

Hi All,

I have the below working script, though would like to pick some experts brains please.

A)Is there anything wrong, i.e, can I cause harm/damage if I am running the "Unlock-AD" if the actual account isn't even locked?

eg, should it include something like - If Username is locked, then Unlock?

B)Is the below formatting OK, or is there a better "Preferred/Recommended" way I should be using?

C)As I work in 1st/2nd Line Support I often get calls for AD unlocks, any other suggestions I should be running this script to make it more efficient

eg, does anyone use a script to search for surname and first name to pick up female name changes etc instead of by username or how else do others do their environment?

Thanks,

Import-Module ActiveDirectory

$Credentials = Get-Credential $UserName = Read-Host "Enter in the Username to check"

Get-ADUser $UserName -Properties Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired `
| Select-Object -Property Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired

Unlock-ADAccount $UserName -Credential $Credentials

Open in new window

IT_Support PrivateAsked: 2017-11-19

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

Experts Exchange Solution brought to you by

Enjoy your complimentary solution view.

Get every solution instantly with Premium. Start your 7-day free trial.

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 89

David Johnson, CD, MVPOwnerCommented: 2017-11-19

If it is not locked then unlocking doesn't do anything

LVL 20

Jose Gabriel Ortega CastroEE Solution Guide - CEO Faru Bonon ITCommented: 2017-11-19

David answered A.

What about making it a real script.

[Cmdletbinding()]
param(
    [Parameter(mandatory=$true,Position=0)]$username
)

Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount

Open in new window

Save it as Unlocker.ps1

And run it like:
.\Unlocker.ps1 -username "UserNameToUnlock"

You won't require credentials if you're a domain admin.
If you don't you would require it. so...

[Cmdletbinding()]
param(
    [Parameter(mandatory=$true,Position=0)]$username
)
$creds = Get-Credential
Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount -credential $creds

Open in new window

LVL 2

MilesLoganCommented: 2017-11-19

something like this may help ... user calls that their domain account is locked .. enter their user name and if it was locked . then it will unlock it.
If it was not locked and after you tell them to try again they still can't log in .. then yeah .. the call just got longer :)

Import-Module -Name ActiveDirectory
$AccounToUnlock = Read-Host -Prompt 'Enter account to unlock'
Get-ADUser -Identity $AccounToUnlock  | Unlock-ADAccount
Write-Host ('See {0} locked out status below' -f $AccountoUnlock) -ForegroundColor Green -NoNewline
Get-ADUser -Identity $AccounToUnlock | Get-ADUser -Properties SamaccountName,Lockedout | Select-Object -Property SamaccountName,Lockedout

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

IT_Support PrivateAuthor Commented: 2017-11-20

Thanks all for the advice. Much appreciated.

LVL 47

Shaun VermaakTechnical Specialist/DeveloperCommented: 2017-11-20

I added unlock option to my Password Reset Tool if you would like to test it
https://www.experts-exchange.com/articles/30866/Active-Directory-Password-Reset-Tool.html