unlock user on windows 2003 PDC

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Jonathan Warnken Jonathan Warnken 4 months, 3 weeks ago.

  • Author
    Posts
  • #47413
    Profile photo of Mahan
    Mahan
    Participant

    This is the code I plan to use to unlock a critical account on PDC which is running on 2003 server and does not have powershell installed.
    Please let me know if it is fine. Please note values within percentage signs are to be replaced with actual values.

    $adsiSearcher = New-Object DirectoryServices.DirectorySearcher("LDAP:/%PDC Name%/%Domain Naming Context%/")
    $adsiSearcher.filter = "(&(ObjectCategory=User)(cn=%acct name%))"
    $objUser = $adsiSearcher.findone()
    
    $ADUser= ([adsi]$objUser.path)
    
    If (($($ADUser.psbase.invokeget('IsAccountLocked')) -eq 'True') {
          $ADUser.IsAccountLocked = $false
          $ADUser.setinfo()
    }
    
    • This topic was modified 4 months, 3 weeks ago by Profile photo of Mahan Mahan.
    • This topic was modified 4 months, 3 weeks ago by Profile photo of Mahan Mahan.
    • This topic was modified 4 months, 3 weeks ago by Profile photo of Mahan Mahan.
  • #47420
    Profile photo of Mahan
    Mahan
    Participant

    FYI I tried and it worked but just not sure if it is the right way to do it. Also on https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget(v=vs.110).aspx , it is said that one should not use invokeget method and instead should use 'properties' property to access attributes. I tried to query properties to determine if a account is locked, but I am not able to determine it using properties property.

    • This reply was modified 4 months, 3 weeks ago by Profile photo of Mahan Mahan.
  • #47434
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    Given what you have descried I do not think there is anything wrong with this method. There are other options such as using the ad cmdlet's Unlock-ADAccount or using the winnt provider to get the properties for the user. example from http://powershell.com/cs/forums/t/268.aspx

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    
    $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
    
    $colProplist = "name","samaccountname"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
    
    $colResults = $objSearcher.FindAll()
    
    foreach ($objResult in $colResults) {
    
        $domainname = $objDomain.name
        $samaccountname = $objResult.Properties.samaccountname
     
        $user = [ADSI]"WinNT://$domainname/$samaccountname"
     
        $ADS_UF_LOCKOUT = 0x00000010
     
        if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
            $objResult.Properties.name
        }
    }
    
  • #47504
    Profile photo of Mahan
    Mahan
    Participant

    Thanks for your suggestions. I was looking for ways to simplify the process and here is what I came up with, and it worked. Reference link – https://msdn.microsoft.com/en-us/library/aa746533(v=vs.85).aspx. Note, With WinNT provider, I am using PDC host name and not the domain name. I did this to make sure I am targeting the PDC directly. Thoughts please?

        $samaccountname = %accountname%
                   $PDC = (get-addomain).pdcemulator
             $WinNTuser = [ADSI]"WinNT://$PDC/$samaccountname"
    
    If ( $WinNTuser.isaccountlocked -eq 'True' ) {
          $WinNTuser.IsAccountLocked = $false
          $WinNTuser.setinfo()
    }
    
  • #47564
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    That should be sufficient. using the host name will ensure the change is written there. With the domain name the any DC could service the request.

You must be logged in to reply to this topic.