Use PowerShell to Find and Unlock Users in Active Directory

Use PowerShell to Find and Unlock Users in Active Directory

  • Comments 11
  • Likes

Summary: PowerShell MVP, Sean Kearney, shows how to use Windows PowerShell to find and unlock users in AD DS.

Microsoft Scripting Guy, Ed Wilson, is here. Today I am happy to announce that Honorary Scripting Guy and Microsoft PowerShell MVP, Sean Kearney, is back. This week will be Windows PowerShell in Blueville. Take it away Sean.

Blueville, Inc. was a wonderful place,
Where each IT worker has scripted a pace,
The management of actions, the flowing of work
Made each member function with nary a quirk.

But up in the tower, a mouse at his hands,
Was poor Mr. Finch surveying the lands,
All day with the GUI he stumbled so slow,
Not so productive, his output was low.

But in Blueville, the workers, we’ll call them the Blues
Were dancing and happy, with all of the news
Of a magical system, and from Monad it came,
Called PowerShell you see, such a wonderful name.

Mr. Finch spent each and every day a clicking and grunting,
Each moment you see, on the screen he was hunting.
He looked down from his office, his fingers were drumming,
Deep in his mind, his thoughts were a humming.

“Why are they so happy?” he wondered aloud.
”Why are the Blues smiling?” his thoughts in the cloud.
He watched as they worked with smiles in their eyes,
Their shiny Blue teeth raised to the skies.

Mr. Finch clicked Pause on the Seuss-RhymeOMatic and got up from his chair. He was having a difficult time. Over and over, the words ran through his head.

“…I have a problem that is giving a pain,
A riddling problem that is nagging my brain,
I have a division that is driving me dilly,
The users get locked out daily, it’s making me silly.
They get locked out in twos, and even in bunches.
They lock themselves out while chomping on lunches.
Please give me a way, please do it now
To stop all this madness, please show me how…”

Constantly unlocking accounts for a particular division in Active Directory…what a dilemma. Constantly pulling up the username, clearing the box, going back in for the next one a few moments later. It was driving him goofy.

Those words echoed in his head. He had thousands of happy Blue workers in Blueville, Inc. If only he had learned VBScript script long ago. But it seemed so hard. He decided to take a walk to see the Blues. Sometimes talking things out gave him ideas…always a good way to go.

A little Blue was humming away. It was Stu. Stu Blue. Stu was happily smiling at a screen of Blue and unlocking a user.

Mr. Finch looked on at Stu and queried him too.

”How is it Mister Stu? How is it to work so happily upon that screen of Blue?”

Stu looked up at Mr. Finch and smiled away. “It is PowerShell Mr. Finch, a system that speeds up my day.”

Mr. Finch had heard of PowerShell—from Mount Monad it came, but it was a scripting solution, and all were the same.

Stu looked up and noticed the RhymeOMatic light was on, and quickly hit Pause.

“Thanks! That rhyming was driving me crazy. So I thought Windows PowerShell was another scripting solution? Isn’t it hard to learn?”

Stu thought for a moment. “I never thought about that because I don’t think I learned Windows PowerShell. I just use one or two cmdlets daily. I unlock users.”

This sounded like the person to help. “How hard is it to unlock an account with Windows PowerShell, Stu Blue?”

“I simply key in the cmdlet called Unlock-AddAccount, and the SAM account name of a user, like this.”

Unlock-AddAccount ‘John.Smith’

“And of course, it’s never just one user, sometimes it’s an entire division from Blueville, Inc. It tends to go all thumbs some days….”

Mr. Finch nodded. This sounded familiar, but it must involve scripting. Mr. Finch watched.

“If I need to unlock an entire division of silly people typing on their keyboard with their noses, I can just pull up the list in Active Directory with a Get-ADUser cmdlet like this.

GET-ADUSER –filter * –searchbase ‘CN=Legal,CN=Boston,DC=Blueville,DC=Local’

Mr. Finch watched an entire list of users flow by on the screen.

“Should I wish to unlock them all ‘carte blanche,’ I can simply pipe the content straight into the previous cmdlet like this.”

GET-ADUSER –filter * –searchbase ‘CN=Legal,CN=Boston,DC=Blueville,DC=Local’ | UNLOCK-ADACCOUNT

Mr. Finch looked over at Stu. “How did you learn how to work the cmdlets in Windows PowerShell?”

Stu looked up. “Within Windows PowerShell, there is a beautiful Help system. I key in Get-Help, the cmdlet name, and the Examples parameter. For example, the first time I wanted to learn how to use Unlock-ADAccount, I typed the following…”

GET-HELP UNLOCK-ADACCOUNT –examples

“…and it provided me with some good examples. I know they say you can script with Windows PowerShell, but I am only first-level support. I only use it for unlocking users and it suits me fine!”

Mr. Finch was impressed. He decided to return upstairs with this new knowledge. If basic use of Windows PowerShell was this easy, perhaps scripting wasn’t so hard.

And so Mr. Finch went back to floor two,
Went away to his computer to a screen of pure Blue.
That night PowerShell, he did open to play
And discover the wonder awaiting next day…

Thanks Sean. Please join us tomorrow for Part 2.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Sean, my friend!

    it's wonderful to read that you're back for good!

    I hadn't realized that you are a poet, my dear

    that said, I've read through your Active Directory food

    and now everything seems to be pretty clear!

    ( I'n not a great poet :-)

    Well, I think you should have mentioned

    that Stu had to import the ActiveDirectory module first

    and then he might have to correct the   "Unlock-AddAccount"

    Cmdlet name and probably better name it "Unlock-AdAccount" :-)

    I'm really looging forward to the next episode tomorrow!

    Klaus.

  • I haven't tested the ActiveDirectory cmdlets for the parameter (and I am not near a domain machine right now), however . .

    The Quest cmdlets have the -locked (switch) parameter on the Get-QadUser cmdlet, to show you ALL of the currently locked accounts.

    Which is very useful.

    Get-QadUser -locked

  • Ben

    The Power of Windows Powershell is incredible.  There are so many options available to perform solutions.  I find like you the Quest Cmdlets are far easier but I've also found the Microsoft ActiveDirectory module is incredibly faster.

    Just remember, it's just a tool to get you home earlier.   Whatever works for you is the best solution

    Cheers!

    Sean

    :)