unlock user on windows 2003 PDC

This topic contains 4 replies, has 2 voices, and was last updated by  Jonathan Warnken 1 year, 4 months ago.

  • Author
    Posts
  • #47413

    Mahan
    Participant

    This is the code I plan to use to unlock a critical account on PDC which is running on 2003 server and does not have powershell installed.
    Please let me know if it is fine. Please note values within percentage signs are to be replaced with actual values.

    $adsiSearcher = New-Object DirectoryServices.DirectorySearcher("LDAP:/%PDC Name%/%Domain Naming Context%/")
    $adsiSearcher.filter = "(&(ObjectCategory=User)(cn=%acct name%))"
    $objUser = $adsiSearcher.findone()
    
    $ADUser= ([adsi]$objUser.path)
    
    If (($($ADUser.psbase.invokeget('IsAccountLocked')) -eq 'True') {
          $ADUser.IsAccountLocked = $false
          $ADUser.setinfo()
    }
    
    • This topic was modified 1 year, 4 months ago by  Mahan.
    • This topic was modified 1 year, 4 months ago by  Mahan.
    • This topic was modified 1 year, 4 months ago by  Mahan.
  • #47420

    Mahan
    Participant

    FYI I tried and it worked but just not sure if it is the right way to do it. Also on https://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget(v=vs.110).aspx , it is said that one should not use invokeget method and instead should use 'properties' property to access attributes. I tried to query properties to determine if a account is locked, but I am not able to determine it using properties property.

    • This reply was modified 1 year, 4 months ago by  Mahan.
  • #47434

    Jonathan Warnken
    Participant

    Given what you have descried I do not think there is anything wrong with this method. There are other options such as using the ad cmdlet's Unlock-ADAccount or using the winnt provider to get the properties for the user. example from http://powershell.com/cs/forums/t/268.aspx

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    
    $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
    
    $colProplist = "name","samaccountname"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
    
    $colResults = $objSearcher.FindAll()
    
    foreach ($objResult in $colResults) {
    
        $domainname = $objDomain.name
        $samaccountname = $objResult.Properties.samaccountname
     
        $user = [ADSI]"WinNT://$domainname/$samaccountname"
     
        $ADS_UF_LOCKOUT = 0x00000010
     
        if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
            $objResult.Properties.name
        }
    }
    
  • #47504

    Mahan
    Participant

    Thanks for your suggestions. I was looking for ways to simplify the process and here is what I came up with, and it worked. Reference link – https://msdn.microsoft.com/en-us/library/aa746533(v=vs.85).aspx. Note, With WinNT provider, I am using PDC host name and not the domain name. I did this to make sure I am targeting the PDC directly. Thoughts please?

        $samaccountname = %accountname%
                   $PDC = (get-addomain).pdcemulator
             $WinNTuser = [ADSI]"WinNT://$PDC/$samaccountname"
    
    If ( $WinNTuser.isaccountlocked -eq 'True' ) {
          $WinNTuser.IsAccountLocked = $false
          $WinNTuser.setinfo()
    }
    
  • #47564

    Jonathan Warnken
    Participant

    That should be sufficient. using the host name will ensure the change is written there. With the domain name the any DC could service the request.

You must be logged in to reply to this topic.