Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Gökalp İmamoğlu — Fri, 30 Nov 2012 21:28:31 GMT

hi,

users to search for all users within the domain is locked unlocked?

accept >>>no

example:

@echo off

powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount -Credential $(Get-Credential)}"

All users???

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Ayehu — Fri, 03 Aug 2012 16:21:31 GMT

Great post! nice scripting. I took it further and developed a workflow that can automate your own powershell scripts! aha! so you can schedule or trigger them any time you want, just take your scripts and put them inside the workflow and the results you can see for your self http://bit.ly/JdsP6H

Enjoy.

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Ayehu — Fri, 03 Aug 2012 16:20:37 GMT

Enjoy.

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Virendra — Mon, 09 Jul 2012 16:26:35 GMT

how a administrator can use the above script

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

C Reese — Tue, 29 May 2012 03:01:01 GMT

Well you could actually make this a "One Liner" by writing it like this:

@echo off & powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount}"

If you happen to copy and paste this on the command prompt directly, you will end up with a no prompt shell. Just type @Echo on to get the prompt back.

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Ashley McGlone — Thu, 10 May 2012 14:53:00 GMT

Thanks for the great questions and feedback to this post. I'll answer each of your questions below with a new or modified batch file line.

1. Display an error if they don't have permissions to unlock the account.

A. Add the "-NoExit" to the front of the command so that you can see any errors that occur.

@echo off

powershell.exe -NoExit -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount}"

2. Specify the DC where to perform the unlock.

A. Add "-Server (Read-Host "Enter the DC to target for the unlock")" to the Unlock-ADAccount cmdlet.

@echo off

powershell.exe -Command "& {Import-Module ActiveDirectory; Read-Host "Enter the user account to unlock" | Unlock-ADAccount -Server (Read-Host "Enter the DC to target for the unlock")}"

3. Display lockout status.

A. Get-ADUser calculates the property LockedOut, so we can query that with a couple other properties of interest.

@echo off

powershell.exe -Command "& {Get-ADUser (Read-Host "Enter the user account name to check lockout status") -Properties Name, LockedOut, AccountLockoutTime | Format-List Name, LockedOut, AccountLockoutTime}"

4. Only unlock users within your group.

A. This should be handled with AD delegation rather than in PowerShell code.

5. Password reset.

A. I knew this would be the next request. It actually involves a few lines of code that would look like this:

Import-Module ActiveDirectory

$u = Read-Host "Enter username for password reset"

# We must collect the new password strings as plain text,

# because we cannot verify that they match if they are

# secure strings.

$p1 = Read-Host "Enter new password"

$p2 = Read-Host "Confirm new password"

If ($p1 -eq $p2) {

Set-ADAccountPassword $u -NewPassword $(ConvertTo-SecureString $p1 -AsPlainText -Force)

# The next line will error if the account is set to never expire.

Set-ADUser $u -ChangePasswordAtLogon $true

} Else {

"Passwords did not match."

}

But then I massively shortened it to an aliased and compacted one-liner like this:

@echo off

powershell -NoE -C "&{ipmo ActiveDirectory;$u=Read-Host 'User';$p=Read-Host 'New pw';$q=Read-Host 'Confirm pw';If($p -eq $q){Set-ADAccountPassword $u -N $(ConvertTo-SecureString $p -A -F);Set-ADUser $u -Ch 1}Else{'Pw mismatch'}}"

Now you have enough options to create three or four handy shortcuts for yourself or others to enjoy.

Have fun!

~Ashley

@GoateePFE

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

User — Wed, 09 May 2012 19:02:31 GMT

Great post. Is there a way to set it so you could only unlock users within your group? It would also be great if we could do a quick password reset within this. Thanks for your tips

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Account Properties — Tue, 08 May 2012 12:29:26 GMT

I've started playing with activedirectory module recently and this has proven to be very useful! Thanks! Is it possible to display the status of the user account. Example, my helpdesk peepz run this batch file, and maybe it shows them the status - if the account is unlocked. I cannot find this properties information in "get-aduser username -properties *". Suggestions?

re: Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Mike Neal — Mon, 07 May 2012 17:42:58 GMT

Our HelpDesk only has certain user accounts they have permission to unlock, is there a way to display an error if their account does not have the correct rights in order to unlock an account? Also, is there a way to specify what DC it unlocks the account out at or do multiple DCs at once?