Author Posts

July 18, 2016 at 11:33 pm

This is the code I plan to use to unlock a critical account on PDC which is running on 2003 server and does not have powershell installed.
Please let me know if it is fine. Please note values within percentage signs are to be replaced with actual values.

$adsiSearcher = New-Object DirectoryServices.DirectorySearcher("LDAP:/%PDC Name%/%Domain Naming Context%/")
$adsiSearcher.filter = "(&(ObjectCategory=User)(cn=%acct name%))"
$objUser = $adsiSearcher.findone()

$ADUser= ([adsi]$objUser.path)

If (($($ADUser.psbase.invokeget('IsAccountLocked')) -eq 'True') {
      $ADUser.IsAccountLocked = $false
      $ADUser.setinfo()
}
  • This topic was modified 2 years, 1 month ago by  Mahan.
  • This topic was modified 2 years, 1 month ago by  Mahan.
  • This topic was modified 2 years, 1 month ago by  Mahan.

July 18, 2016 at 11:43 pm

FYI I tried and it worked but just not sure if it is the right way to do it. Also on https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget(v=vs.110).aspx , it is said that one should not use invokeget method and instead should use 'properties' property to access attributes. I tried to query properties to determine if a account is locked, but I am not able to determine it using properties property.

  • This reply was modified 2 years, 1 month ago by  Mahan.

July 19, 2016 at 10:44 am

Given what you have descried I do not think there is anything wrong with this method. There are other options such as using the ad cmdlet's Unlock-ADAccount or using the winnt provider to get the properties for the user. example from http://powershell.com/cs/forums/t/268.aspx

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000

$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"

$colProplist = "name","samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults) {

    $domainname = $objDomain.name
    $samaccountname = $objResult.Properties.samaccountname
 
    $user = [ADSI]"WinNT://$domainname/$samaccountname"
 
    $ADS_UF_LOCKOUT = 0x00000010
 
    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
        $objResult.Properties.name
    }
}

July 19, 2016 at 6:16 pm

Thanks for your suggestions. I was looking for ways to simplify the process and here is what I came up with, and it worked. Reference link – https://msdn.microsoft.com/en-us/library/aa746533(v=vs.85).aspx. Note, With WinNT provider, I am using PDC host name and not the domain name. I did this to make sure I am targeting the PDC directly. Thoughts please?

    $samaccountname = %accountname%
               $PDC = (get-addomain).pdcemulator
         $WinNTuser = [ADSI]"WinNT://$PDC/$samaccountname"

If ( $WinNTuser.isaccountlocked -eq 'True' ) {
      $WinNTuser.IsAccountLocked = $false
      $WinNTuser.setinfo()
}

July 20, 2016 at 12:37 am

That should be sufficient. using the host name will ensure the change is written there. With the domain name the any DC could service the request.