PS Script to Unlock AD Users Account

This topic contains 11 replies, has 6 voices, and was last updated by  Mike Duganitz 1 week, 4 days ago.

  • Author
    Posts
  • #83095

    IT_Support
    Participant

    Hi All,
    I require assistance with modifying this script so that it also prompts me for a Users Account as opposed to searching for All Users.
    Eg, my plan is I run this from others desks and enter in my admin account, and then enter in the suspected locked out account name so i can check if the account is locked out or not.

    Is anyone able to assist with telling me what needs changing please:

    #Requires -Version 3.0
    
    [CmdletBinding()]
    param (
        [ValidateNotNullOrEmpty()]
        [string]$DomainName = $env:USERDOMAIN,
        [ValidateNotNullOrEmpty()]
        [string]$UserName = "*",
        [ValidateNotNullOrEmpty()]
        [datetime]$StartTime = (Get-Date).AddDays(-3)
    )
    Invoke-Command -ComputerName (
        [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
            New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
        ).PdcRoleOwner.name
    ) {
        Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
        Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
        Select-Object -Property TimeCreated,
            @{Label='UserName';Expression={$_.Properties[0].Value}},
            @{Label='ClientName';Expression={$_.Properties[1].Value}}
    } -Credential (Get-Credential) |
    Select-Object -Property TimeCreated, UserName, ClientName
    
  • #83098

    Jeremy Murrah
    Participant

    If you're just looking for a command that can unlock an AD account when given a user account I'd just use Unlock-ADAccount from the ActiveDirectory Module. If you need to run it under alternate credentials just create a credential object for your admin account.

    $cred = get-credential
    #enter admin account in credential dialog box
    unlock-adaccount -identity joeuser -credential $cred
  • #83101

    Jon
    Participant
    $cred = get-credential
    $username = read-host "Enter username you want to unlock"
    unlock-adaccount -identity $username -credential $cred
    
    • #83102

      IT_Support
      Participant

      Thanks so much for the prompt reply,
      So if i don't want to type in the domain each time, do i need to specify it or is it smart enough to pick it up from the logged in pc that I run the script from?, would I use something like this (at home so cant test now).

      Should i run something like this on the pc of the user, any other "Preferred/More Efficient Solutions".
      Or is there a better way to do it from AD so that i don't have to do on the users computer?

      $cred = get-credential
      $DCName = 'DC1'
      $username = read-host "Enter username you want to unlock"
      Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
      unlock-adaccount -identity $username -credential $cred
      

      Just wondering, is this getting the win event from my computer, or the Domain controller of the End users computer?

  • #83107

    Jeremy Murrah
    Participant

    By default unlock-adaccount (and most other AD cmdlets) will use your currently logged on domain. You can specify alternate domains with the -server parameter. There's no reason to run it from the user's PC. AD is centralized so you can run that cmdlet from your workstation just fine.

    • #83149

      IT_Support
      Participant

      Thanks,
      Interesting.
      I was just thinking if i could run it from an end users desk, in scenarios where i may be at his/her desk already to save me remoting back to my pc. though i guess they would probably need to have the rsat tools installed on their machine for it to work.

    • #83150

      IT_Support
      Participant

      Is anyone able to try out this script and let me know if it works, I don't have access to a AD setup at home:
      Also, is there a order constraint to how i put in the script, eg, if i ask for account expiration, bad password history etc, when i unlock the account, does it wipe the lastbadpassword attempt etc

      $X3Cred = get-credential
      #$DCName = 'DC1'
      $username = read-host "Enter username you want to unlock"
      unlock-adaccount -identity $username -credential $X3Cred
      get-aduser $userame-Properties badPwdCount
      get-aduser $userame-Properties accountexpiratondate
      #Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
      Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
      
      
    • #83197

      IT_Support
      Participant

      Sorry for the flood of posts,
      One more question please,
      What would others normally do to see the results, ie, is preferred to put a PAUSE in the bottom of the script so you can see the results, or is it recommended to output to a temp text file/window etc?
      Does one work quicker/more reliable than the other?
      Thanks

    • #83201

      Willy Moselhy
      Participant

      In an interactive script I would use the "Press Any Key to continue..." way.

  • #83653

    edwin arlington
    Participant

    You can try the following command unlock all locked out accounts.

    Search-ADAccount -LockedOut | Unlock-ADAccount

    You can filter the results from Search-ADAccount before piping it to Unlock-ADAccount. For example:

    Search-ADAccount -LockedOut | Where {$_.samaccountname -eq "jdoe"} | Unlock-ADAccount

    Additionally, you could also take a look at below given article which explains few common root causes of account lockouts and how to resolve them.

    http://www.morgantechspace.com/2014/11/Unlock-AD-User-Account-using-Powershell.html

    • #83657

      IT_Support
      Participant

      Thanks,
      THough only interested in unlocking the End-Users account as they come to me,
      I need a ticket for every action i take for Audit Reasons (and to justify my job)

  • #83686

    Mike Duganitz
    Participant

    You could also set up a constrained endpoint on your computer or a management station if this is an option in your environment. You could then just run an invoke-command or enter-pssession from the client you're at to your workstation using the configuration name you created. You can even specify alternate credentials for the endpoint to run the commands as. I use this in my environment when at another workstation to connect to a management station for AD tasks.

You must be logged in to reply to this topic.