Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

  • Comments 12
  • Likes

Summary: Today’s post is a quick Windows PowerShell tip to save time for the Help Desk to unlock Active Directory accounts.

Microsoft Scripting Guy, Ed Wilson, is here. I was talking to Ashley the other day, and he was telling me about a cool tip he came up with that many of his customers had been using on a regular basis. Although the technique is rather basic, he said that the customers found it to be extremely valuable. I told him, “Well, why don’t you write up a quick post, and we will put it on the Hey, Scripting Guy! Blog.” Today’s post is a result of that conversation.

Ashley McGlone is a premier field engineer (PFE) for Microsoft. He started writing code on a Commodore VIC20 in 1982, and he has been hooked ever since. Today he specializes in Active Directory and Windows PowerShell, helping Microsoft Premier Customers reach their full potential through risk assessments and workshops. Ashley’s favorite workshop to teach is Windows PowerShell Essentials, and his TechNet blog focuses on real-world solutions for Active Directory by using Windows PowerShell.

Blog: http://blogs.technet.com/b/ashleymcglone
Twitter: @GoateePFE

I was teaching a Windows PowerShell class last week, and my favorite part is always the last afternoon when I help students start their own scripts. One student asked if there is a way to put a shortcut on the desktop for the Help Desk staff to unlock Active Directory accounts. I said, "Sure! This sounds like fun." In only a couple minutes, we crafted this quick batch command that launches Windows PowerShell, loads the Active Directory module, prompts for the account name, and then unlocks it. Essentially, it is one wrapped line of code (not counting the "echo off"), as shown here:

@echo off
powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount}"

Image of command output

Then another student asked if we could prompt for credentials in case they needed to use a different account to perform the unlock. That was a quick edit to add the -Credential parameter with a prompt for creds.

@echo off
powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount -Credential $(Get-Credential)}"

Image of command output

Follow these steps to create your quick unlock shortcut:

  • Create an empty BAT file on your desktop.
  • Paste the previous script.
  • Save.
  • Double-click.
  • That's it!

Note   This requires a workstation running Windows 7 with the RSAT installed and the Active Directory cmdlet feature enabled. Also, you must be running Active Directory Web Services on at least one domain controller. You can find instructions for RSAT and Active Directory Web Services in my blog Step-by-Step: How to use Active Directory PowerShell cmdlets against 2003 domain controllers.

The beauty of this shortcut involves calling Windows PowerShell.exe and passing in the script block. In the script block, notice that we use the semicolon for new lines, which enables us to wrap multiple lines into a single line.

I hope this saves you time with the Help Desk. If you would like some other time-saving tips for using Windows PowerShell for the Help Desk, see my blog How to close helpdesk tickets faster with PowerShell. P.S. If you would like to book a Windows PowerShell Essentials workshop with a Microsoft PFE, contact your premier technical account manager (TAM) for more information.

Enjoy!
~Ashley

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Our HelpDesk only has certain user accounts they have permission to unlock, is there a way to display an error if their account does not have the correct rights in order to unlock an account? Also, is there a way to specify what DC it unlocks the account out at or do multiple DCs at once?

  • I've started playing with activedirectory module recently and this has proven to be very useful!  Thanks!  Is it possible to display the status of the user account.  Example, my helpdesk peepz run this batch file, and maybe it shows them the status - if the account is unlocked.  I cannot find this properties information in "get-aduser username -properties *".  Suggestions?

  • Great post.  Is there a way to set it so you could only unlock users within your group?  It would also be great if we could do a quick password reset within this.  Thanks for your tips

  • Thanks for the great questions and feedback to this post.  I'll answer each of your questions below with a new or modified batch file line.

    1.  Display an error if they don't have permissions to unlock the account.

    A.  Add the "-NoExit" to the front of the command so that you can see any errors that occur.

    @echo off

    powershell.exe -NoExit -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount}"

    2.  Specify the DC where to perform the unlock.

    A.  Add "-Server (Read-Host "Enter the DC to target for the unlock")" to the Unlock-ADAccount cmdlet.

    @echo off

    powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount -Server (Read-Host "Enter the DC to target for the unlock")}"

    3.  Display lockout status.

    A.  Get-ADUser calculates the property LockedOut, so we can query that with a couple other properties of interest.

    @echo off

    powershell.exe -Command "& {Get-ADUser (Read-Host "Enter the user account name to check lockout status") -Properties Name, LockedOut, AccountLockoutTime | Format-List Name, LockedOut, AccountLockoutTime}"

    4.  Only unlock users within your group.

    A.  This should be handled with AD delegation rather than in PowerShell code.

    5.  Password reset.

    A.  I knew this would be the next request.  It actually involves a few lines of code that would look like this:

    Import-Module ActiveDirectory

    $u = Read-Host "Enter username for password reset"

    # We must collect the new password strings as plain text,

    # because we cannot verify that they match if they are

    # secure strings.

    $p1 = Read-Host "Enter new password"

    $p2 = Read-Host "Confirm new password"

    If ($p1 -eq $p2) {

       Set-ADAccountPassword $u -NewPassword $(ConvertTo-SecureString $p1 -AsPlainText -Force)

       # The next line will error if the account is set to never expire.

       Set-ADUser $u -ChangePasswordAtLogon $true

    } Else {

       "Passwords did not match."

    }

    But then I massively shortened it to an aliased and compacted one-liner like this:

    @echo off

    powershell -NoE -C "&{ipmo ActiveDirectory;$u=Read-Host 'User';$p=Read-Host 'New pw';$q=Read-Host 'Confirm pw';If($p -eq $q){Set-ADAccountPassword $u -N $(ConvertTo-SecureString $p -A -F);Set-ADUser $u -Ch 1}Else{'Pw mismatch'}}"

    Now you have enough options to create three or four handy shortcuts for yourself or others to enjoy.

    Have fun!

    ~Ashley

    @GoateePFE

  • Well you could actually make this a "One Liner" by writing it like this:

    @echo off & powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount}"

    If you happen to copy and paste this on the command prompt directly, you will end up with a no prompt shell. Just type @Echo on to get the prompt back.

  • how a administrator can use the above script

  • Great post! nice scripting. I took it further and developed a workflow that can automate your own powershell scripts! aha! so you can schedule or trigger them any time you want, just take your scripts and put them inside the workflow and the results you can see for your self <a href="bit.ly/.../a>

    Enjoy.

  • Great post! nice scripting. I took it further and developed a workflow that can automate your own powershell scripts! aha! so you can schedule or trigger them any time you want, just take your scripts and put them inside the workflow and the results you can see for your self http://bit.ly/JdsP6H

    Enjoy.

  • hi,

    users to search for all users within the domain is locked unlocked?

    accept >>>no

    example:

    @echo off

    powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount -Credential $(Get-Credential)}"

    All users???

  • Nice post, thanks for sharing good information about active directory account unlock. I found this application from http://www.selfservicepasswordreset.org/ which allows to unlock the accounts from any remote computer through web-browser and allows the administrator to configure policy for automatic active directory account unlock at specific time for any particular domain.

  • thanks

  • Whenever I try to open it a command window flashes and nothing happens...