unlock user on windows 2003 PDC

This topic contains 4 replies, has 2 voices, and was last updated by  Jonathan Warnken 1 year, 10 months ago.

  • Author
  • #47413


    This is the code I plan to use to unlock a critical account on PDC which is running on 2003 server and does not have powershell installed.
    Please let me know if it is fine. Please note values within percentage signs are to be replaced with actual values.

    $adsiSearcher = New-Object DirectoryServices.DirectorySearcher("LDAP:/%PDC Name%/%Domain Naming Context%/")
    $adsiSearcher.filter = "(&(ObjectCategory=User)(cn=%acct name%))"
    $objUser = $adsiSearcher.findone()
    $ADUser= ([adsi]$objUser.path)
    If (($($ADUser.psbase.invokeget('IsAccountLocked')) -eq 'True') {
          $ADUser.IsAccountLocked = $false
    • This topic was modified 1 year, 10 months ago by  Mahan.
    • This topic was modified 1 year, 10 months ago by  Mahan.
    • This topic was modified 1 year, 10 months ago by  Mahan.
  • #47420


    FYI I tried and it worked but just not sure if it is the right way to do it. Also on https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget(v=vs.110).aspx , it is said that one should not use invokeget method and instead should use 'properties' property to access attributes. I tried to query properties to determine if a account is locked, but I am not able to determine it using properties property.

    • This reply was modified 1 year, 10 months ago by  Mahan.
  • #47434

    Jonathan Warnken

    Given what you have descried I do not think there is anything wrong with this method. There are other options such as using the ad cmdlet's Unlock-ADAccount or using the winnt provider to get the properties for the user. example from http://powershell.com/cs/forums/t/268.aspx

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
    $colProplist = "name","samaccountname"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
    $colResults = $objSearcher.FindAll()
    foreach ($objResult in $colResults) {
        $domainname = $objDomain.name
        $samaccountname = $objResult.Properties.samaccountname
        $user = [ADSI]"WinNT://$domainname/$samaccountname"
        $ADS_UF_LOCKOUT = 0x00000010
        if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  • #47504


    Thanks for your suggestions. I was looking for ways to simplify the process and here is what I came up with, and it worked. Reference link – https://msdn.microsoft.com/en-us/library/aa746533(v=vs.85).aspx. Note, With WinNT provider, I am using PDC host name and not the domain name. I did this to make sure I am targeting the PDC directly. Thoughts please?

        $samaccountname = %accountname%
                   $PDC = (get-addomain).pdcemulator
             $WinNTuser = [ADSI]"WinNT://$PDC/$samaccountname"
    If ( $WinNTuser.isaccountlocked -eq 'True' ) {
          $WinNTuser.IsAccountLocked = $false
  • #47564

    Jonathan Warnken

    That should be sufficient. using the host name will ensure the change is written there. With the domain name the any DC could service the request.

You must be logged in to reply to this topic.