Learn about Windows PowerShell
Summary: BATCHman shows how to use Windows PowerShell to locate and unlock user accounts in Active Directory.
Microsoft Scripting Guy Ed Wilson here. In the continuing saga of the world’s first Windows PowerShell superhero, BATCHman, and his faithful sidekick, Cmdlet, I once again present Windows PowerShell MVP and Honorary Scripting Guy Sean Kearney.
Whenever trouble happens in systems and people will call,
And darkness rolls out causing your fall,
Creatures of bits roam in the night,
Shine to the sky, the bright bluish Light,
And call to…BATCHman !
…and, oh yes, his sidekick Boy Blunder Cmdlet, too.
Shock! Terror! The Redmond Police office has been rendered useless! A dark shadow has crossed over the LAN!
“Our accounts! Every account in Active Directory locked out!” the police chief stared blankly at the computer screen. He then glared darkly across the hallway at the culprit who is dressed in all black, hissing back at the police chief.
It was the dreaded Script Kitty, Madame CatFile’s only daughter. For years, there was a chance of her not assuming her mother’s role of foul villainry, and then the worst happened: she saw the cool clothes evil villains wore, and that was that. She was another victim of fashion.
Tonight, she had somehow slipped into the office in the guise of one of the cleaning staff and plugged her laptop into an unwatched LAN jack. She ran her “AttackCityHall.vbs” script in the hopes of unlocking at least one account. Fortunately for the city of Redmond and unfortunately for her, neither time nor password complexity rules was on her side.
Unfortunately, the city had for security reasons designed its Active Directory to not automatically unlock. Thus, the poor police chief found himself in a predicament.
“Hiiiiissssss,” Script Kitty hissed again at the chief.
How dare he walk in on her while she was attempting to hack all of the accounts in the city of Redmond? She would have gotten away, too, if it weren’t for that oh-so-cute little mouse. She just had to pounce on it! After all, it was a pink Arc mouse. “So rare! Purrrrr,” her mind raced and then she was quickly caught and locked up.
There was only one account that Script Kitty missed. She, in her haste, somehow overlooked an administrator account.
The police chief looked over at the blue box on the wall with a small hammer marked, “In case of network emergency, break glass and press button.”
The glass shattered, the police chief did the one thing he never thought he’d need to do: he summoned the BATCHman Klaxons.
He pressed the Get-Help button, and moments later, 1,000 loudspeakers inside his office began pumping out a 1,000-decibel warning siren along with a blinding light.
Covering his ears and eyes, he stumbled across the room looking at the deputy. Taking a hammer to the Get-Help button and many sparks later, the sound and light disappeared.
Staring at his deputy, he cursed, “I told you, have them mount the BATCHman warning system outside the office, not inside!” He quickly grabbed his cell phone and dialed BATCHman’s private line.
***Moments later with a THUD and WHUMP***
“Never fear, BATCHman is here!” announced BATCHman.
The police chief looked up still recovering from the massive assault of sound and light. “Yes! Thank goodness you’re here! We are in dire need of your help!” he shouted above the imagined din.
BATCHman looked. “No need to yell, good citizen. We can h…”
The police chief gestured to all the loudspeakers in the office as well as the broken BATCHman blue box.
“Ahhhh, not again. Must remember, outside not inside.”
Quickly the Police chief guided him to the workstation “We’re locked out of Active Directory! Only one good account! Need to get in! GUI slow! Ears hurt, too!”
BATCHman thought for a moment. With Windows PowerShell, they could solve this easily. Nevertheless, they’d have to identify the locked-out accounts to make this quick.
Quickly, he entered the Windows PowerShell console and loaded up the ActiveDirectory module.
Cmdlet looked over. “BATCHman, can we just pull up a user and have it show us whether they are locked out?”
Enjoying his sidekick’s enthusiasm BATCHman noted, “Yes, it is possible using the Properties parameter, but the ActiveDirectory module has a far more powerful feature called SEARCH-ADACCOUNT. To find all users locked out in Active Directory, we type this.”
“But, Cmdlet, if we need to make this go faster and unlock only the computers in a particular organizational unit or OU, we can specify parameters such as –searchbase.”
SEARCH-ADACCOUNT –searchbase ‘OU=Division31,OU=Locations,DC=Police,DC=Redmond,DC=Local’ –lockedout
Now, we can just quickly UNLOCK all the accounts by piping the results into UNLOCK-ADACCOUNT.
SEARCH-ADACCOUNT –searchbase ‘OU=Division31,OU=Locations,DC=Police,DC=Redmond,DC=Local’ –lockedout | UNLOCK-ADACCOUNT
Cmdlet blinked. One single line? “Holy Simple Simon, BATCHman! Windows PowerShell really is powerful!”
“Yes, it is. Now, quickly have the police chief verify that his staff and he can get in.”
The police chief logged in and verified all was well. “Thank you, BATCHman! You have saved the day! You’re our hero!”
BATCHman covered his ears from the shouting. “You’re quite welcome good citizen.”
Forgotten during all of this, Script Kitty looked up at BATCHman and purred, “Your outfit is purrrfectly delightful.”
BATCHman looked over. “Yes, maybe someday you’ll learn about the power of good and of Windows PowerShell. Crime not only doesn’t pay, it has a far worse budget for cool costumes.”
I want to thank Sean for another exciting episode of BATCHman. Join us tomorrow when The Scripting Wife learns about creating a profile for the Windows PowerShell console.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at email@example.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
Great job BATCHman,
powershell AD modules are a great help!
They are far nore productive than the commandline, so let's rely on them!
@BATCHman: tell me if Cmdlet has a headache and you need some help!
President of the fan club is something to consider ...
Cmdlet has a headache already from too many bad BATCHman puns :)
What if there are more than 1 DC? What if the account is locked out on some DC and on other is unlocked.
Best Regads, Robin
@Robin - can't happen.
You need to look at the articles on MS/MSDN on AD architecture. "Locked-Ou" is just that: "Locked-Out". An account has two states; locked or not locked. It has nothing to do with DCs.
when searching with LDAP :
PS C:\> Get-QADUser -LdapFilter '(&(objectCategory=person)(objectClass=user)(Loc
kouttime>=1))' -Sizelimit 0 | ft Name
It finds all locked accounts > verified over dsa.msc and lockout status.
PS C:\> Search-ADAccount -lockedout | ft Name
Dont find that accounts
PS: you know there is replication between the DCs so it can really happen that it gets locked on one DC and it is unlocked on another.
Can't. The replication is transacted around key items.
YOu are thinking of latecy which is the time betwenn when you make a change and when it is completed. Not all elements are available up front. Some are always returned from the master. Account status, I believe, is always retrieved from the master.
Some items are not updated across DCs. Items like LastLogon. This is per-DC. Each DC needs to be queried independently.
If a process has a cached copy of an AD object it may not reflect the current value.
I don't want to turn this blog into a forum. If you really want to pursue this you should post it at: social.technet.microsoft.com/.../ITCG
Thanks so muc BIATCHman,
this was very helpful.