Author Posts

October 27, 2017 at 12:08 pm

Hi All,
I require assistance with modifying this script so that it also prompts me for a Users Account as opposed to searching for All Users.
Eg, my plan is I run this from others desks and enter in my admin account, and then enter in the suspected locked out account name so i can check if the account is locked out or not.

Is anyone able to assist with telling me what needs changing please:

#Requires -Version 3.0

[CmdletBinding()]
param (
    [ValidateNotNullOrEmpty()]
    [string]$DomainName = $env:USERDOMAIN,
    [ValidateNotNullOrEmpty()]
    [string]$UserName = "*",
    [ValidateNotNullOrEmpty()]
    [datetime]$StartTime = (Get-Date).AddDays(-3)
)
Invoke-Command -ComputerName (
    [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
        New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
    ).PdcRoleOwner.name
) {
    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
    Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
    Select-Object -Property TimeCreated,
        @{Label='UserName';Expression={$_.Properties[0].Value}},
        @{Label='ClientName';Expression={$_.Properties[1].Value}}
} -Credential (Get-Credential) |
Select-Object -Property TimeCreated, UserName, ClientName

October 27, 2017 at 12:30 pm

If you're just looking for a command that can unlock an AD account when given a user account I'd just use Unlock-ADAccount from the ActiveDirectory Module. If you need to run it under alternate credentials just create a credential object for your admin account.

$cred = get-credential
#enter admin account in credential dialog box
unlock-adaccount -identity joeuser -credential $cred

October 27, 2017 at 12:32 pm

$cred = get-credential
$username = read-host "Enter username you want to unlock"
unlock-adaccount -identity $username -credential $cred

October 27, 2017 at 12:41 pm

Thanks so much for the prompt reply,
So if i don't want to type in the domain each time, do i need to specify it or is it smart enough to pick it up from the logged in pc that I run the script from?, would I use something like this (at home so cant test now).

Should i run something like this on the pc of the user, any other "Preferred/More Efficient Solutions".
Or is there a better way to do it from AD so that i don't have to do on the users computer?

$cred = get-credential
$DCName = 'DC1'
$username = read-host "Enter username you want to unlock"
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
unlock-adaccount -identity $username -credential $cred

Just wondering, is this getting the win event from my computer, or the Domain controller of the End users computer?

October 27, 2017 at 1:59 pm

By default unlock-adaccount (and most other AD cmdlets) will use your currently logged on domain. You can specify alternate domains with the -server parameter. There's no reason to run it from the user's PC. AD is centralized so you can run that cmdlet from your workstation just fine.

October 28, 2017 at 6:13 am

Thanks,
Interesting.
I was just thinking if i could run it from an end users desk, in scenarios where i may be at his/her desk already to save me remoting back to my pc. though i guess they would probably need to have the rsat tools installed on their machine for it to work.

October 28, 2017 at 6:25 am

Is anyone able to try out this script and let me know if it works, I don't have access to a AD setup at home:
Also, is there a order constraint to how i put in the script, eg, if i ask for account expiration, bad password history etc, when i unlock the account, does it wipe the lastbadpassword attempt etc

$X3Cred = get-credential
#$DCName = 'DC1'
$username = read-host "Enter username you want to unlock"
unlock-adaccount -identity $username -credential $X3Cred
get-aduser $userame-Properties badPwdCount
get-aduser $userame-Properties accountexpiratondate
#Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

October 29, 2017 at 4:35 am

Sorry for the flood of posts,
One more question please,
What would others normally do to see the results, ie, is preferred to put a PAUSE in the bottom of the script so you can see the results, or is it recommended to output to a temp text file/window etc?
Does one work quicker/more reliable than the other?
Thanks

October 29, 2017 at 6:16 am

In an interactive script I would use the "Press Any Key to continue..." way.

November 6, 2017 at 10:23 am

You can try the following command unlock all locked out accounts.

Search-ADAccount -LockedOut | Unlock-ADAccount

You can filter the results from Search-ADAccount before piping it to Unlock-ADAccount. For example:

Search-ADAccount -LockedOut | Where {$_.samaccountname -eq "jdoe"} | Unlock-ADAccount

Additionally, you could also take a look at below given article which explains few common root causes of account lockouts and how to resolve them.

http://www.morgantechspace.com/2014/11/Unlock-AD-User-Account-using-Powershell.html

November 6, 2017 at 11:34 am

Thanks,
THough only interested in unlocking the End-Users account as they come to me,
I need a ticket for every action i take for Audit Reasons (and to justify my job)

November 6, 2017 at 4:59 pm

You could also set up a constrained endpoint on your computer or a management station if this is an option in your environment. You could then just run an invoke-command or enter-pssession from the client you're at to your workstation using the configuration name you created. You can even specify alternate credentials for the endpoint to run the commands as. I use this in my environment when at another workstation to connect to a management station for AD tasks.

https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/31/introduction-to-powershell-endpoints/