unlock user on windows 2003 PDC

Welcome Forums General PowerShell Q&A unlock user on windows 2003 PDC

This topic contains 4 replies, has 2 voices, and was last updated by

2 years, 8 months ago.

  • Author
  • #47413

    Points: 0
    Rank: Member

    This is the code I plan to use to unlock a critical account on PDC which is running on 2003 server and does not have powershell installed.
    Please let me know if it is fine. Please note values within percentage signs are to be replaced with actual values.

    $adsiSearcher = New-Object DirectoryServices.DirectorySearcher("LDAP:/%PDC Name%/%Domain Naming Context%/")
    $adsiSearcher.filter = "(&(ObjectCategory=User)(cn=%acct name%))"
    $objUser = $adsiSearcher.findone()
    $ADUser= ([adsi]$objUser.path)
    If (($($ADUser.psbase.invokeget('IsAccountLocked')) -eq 'True') {
          $ADUser.IsAccountLocked = $false
  • #47420

    Points: 0
    Rank: Member

    FYI I tried and it worked but just not sure if it is the right way to do it. Also on https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget(v=vs.110).aspx , it is said that one should not use invokeget method and instead should use 'properties' property to access attributes. I tried to query properties to determine if a account is locked, but I am not able to determine it using properties property.

  • #47434

    Points: 0
    Rank: Member

    Given what you have descried I do not think there is anything wrong with this method. There are other options such as using the ad cmdlet's Unlock-ADAccount or using the winnt provider to get the properties for the user. example from http://powershell.com/cs/forums/t/268.aspx

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
    $colProplist = "name","samaccountname"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
    $colResults = $objSearcher.FindAll()
    foreach ($objResult in $colResults) {
        $domainname = $objDomain.name
        $samaccountname = $objResult.Properties.samaccountname
        $user = [ADSI]"WinNT://$domainname/$samaccountname"
        $ADS_UF_LOCKOUT = 0x00000010
        if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  • #47504

    Points: 0
    Rank: Member

    Thanks for your suggestions. I was looking for ways to simplify the process and here is what I came up with, and it worked. Reference link – https://msdn.microsoft.com/en-us/library/aa746533(v=vs.85).aspx. Note, With WinNT provider, I am using PDC host name and not the domain name. I did this to make sure I am targeting the PDC directly. Thoughts please?

        $samaccountname = %accountname%
                   $PDC = (get-addomain).pdcemulator
             $WinNTuser = [ADSI]"WinNT://$PDC/$samaccountname"
    If ( $WinNTuser.isaccountlocked -eq 'True' ) {
          $WinNTuser.IsAccountLocked = $false
  • #47564

    Points: 0
    Rank: Member

    That should be sufficient. using the host name will ensure the change is written there. With the domain name the any DC could service the request.

The topic ‘unlock user on windows 2003 PDC’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort