Query - Powershell Script formatting for Unlock single AD User Account

Hi All,

I have the below working script, though would like to pick some experts brains please.

A)Is there anything wrong, i.e, can I cause harm/damage if I am running the "Unlock-AD" if the actual account isn't even locked?

eg, should it include something like - If Username is locked, then Unlock?

B)Is the below formatting OK, or is there a better "Preferred/Recommended" way I should be using?

C)As I work in 1st/2nd Line Support I often get calls for AD unlocks, any other suggestions I should be running this script to make it more efficient

eg, does anyone use a script to search for surname and first name to pick up female name changes etc instead of by username or how else do others do their environment?


Import-Module ActiveDirectory

$Credentials = Get-Credential $UserName = Read-Host "Enter in the Username to check"

Get-ADUser $UserName -Properties Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired `
| Select-Object -Property Displayname, LockedOut, badPwdCount, AccountLockoutTime, PasswordExpired

Unlock-ADAccount $UserName -Credential $Credentials

Open in new window

IT_Support PrivateAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
If it is not locked then unlocking doesn't do anything
Jose Gabriel Ortega CastroEE Solution Guide - CEO Faru Bonon ITCommented:
David answered A.

What about making it a real script.

Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount

Open in new window

Save it as Unlocker.ps1

And run it like:
.\Unlocker.ps1 -username "UserNameToUnlock"

You won't require credentials if you're a domain admin.
If you don't you would require it. so...

$creds = Get-Credential
Import-Module ActiveDirectory
Get-ADUser $UserName  | Unlock-ADAccount -credential $creds

Open in new window

something like this may help ... user calls that their domain account is locked .. enter their user name and if it was locked . then it will unlock it.
If it was not locked and after you tell them to try again they still can't log in .. then yeah .. the call just got longer :)

Import-Module -Name ActiveDirectory
$AccounToUnlock = Read-Host -Prompt 'Enter account to unlock'
Get-ADUser -Identity $AccounToUnlock  | Unlock-ADAccount
Write-Host ('See {0} locked out status below' -f $AccountoUnlock) -ForegroundColor Green -NoNewline
Get-ADUser -Identity $AccounToUnlock | Get-ADUser -Properties SamaccountName,Lockedout | Select-Object -Property SamaccountName,Lockedout

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_Support PrivateAuthor Commented:
Thanks all for the advice. Much appreciated.
Shaun VermaakTechnical Specialist/DeveloperCommented:
I added unlock option to my Password Reset Tool if you would like to test it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.