BATCHman Uses PowerShell to Identify and Unlock User Accounts
Summary: BATCHman shows how to use Windows PowerShell to locate and unlock user accounts in Active Directory. Microsoft Scripting Guy Ed Wilson here. In the continuing saga of the world’s first Windows PowerShell superhero, BATCHman, and his faithful sidekick, Cmdlet, I once again present Windows PowerShell MVP and Honorary Scripting Guy Sean Kearney. Whenever trouble happens in systems and people will call, And darkness rolls out causing your fall, Creatures of bits roam in the night, Shine to the sky, the bright bluish Light, And call to…BATCHman ! …and, oh yes, his sidekick Boy Blunder Cmdlet, too. Shock! Terror! The Redmond Police office has been rendered useless! A dark shadow has crossed over the LAN! “Our accounts! Every account in Active Directory locked out!” the police chief stared blankly at the computer screen. He then glared darkly across the hallway at the culprit who is dressed in all black, hissing back at the police chief. It was the dreaded Script Kitty, Madame CatFile’s only daughter. For years, there was a chance of her not assuming her mother’s role of foul villainry, and then the worst happened: she saw the cool clothes evil villains wore, and that was that. She was another victim of fashion. Tonight, she had somehow slipped into the office in the guise of one of the cleaning staff and plugged her laptop into an unwatched LAN jack. She ran her “AttackCityHall.vbs” script in the hopes of unlocking at least one account. Fortunately for the city of Redmond and unfortunately for her, neither time nor password complexity rules was on her side. Unfortunately, the city had for security reasons designed its Active Directory to not automatically unlock. Thus, the poor police chief found himself in a predicament. “Hiiiiissssss,” Script Kitty hissed again at the chief. How dare he walk in on her while she was attempting to hack all of the accounts in the city of Redmond? She would have gotten away, too, if it weren’t for that oh-so-cute little mouse. She just had to pounce on it! After all, it was a pink Arc mouse. “So rare! Purrrrr,” her mind raced and then she was quickly caught and locked up. There was only one account that Script Kitty missed. She, in her haste, somehow overlooked an administrator account. The police chief looked over at the blue box on the wall with a small hammer marked, “In case of network emergency, break glass and press button.” The glass shattered, the police chief did the one thing he never thought he’d need to do: he summoned the BATCHman Klaxons. He pressed the Get-Help button, and moments later, 1,000 loudspeakers inside his office began pumping out a 1,000-decibel warning siren along with a blinding light. Covering his ears and eyes, he stumbled across the room looking at the deputy. Taking a hammer to the Get-Help button and many sparks later, the sound and light disappeared. Staring at his deputy, he cursed, “I told you, have them mount the BATCHman warning system outside the office, not inside!” He quickly grabbed his cell phone and dialed BATCHman’s private line. ***Moments later with a THUD and WHUMP*** “Never fear, BATCHman is here!” announced BATCHman. The police chief looked up still recovering from the massive assault of sound and light. “Yes! Thank goodness you’re here! We are in dire need of your help!” he shouted above the imagined din. BATCHman looked. “No need to yell, good citizen. We can h…” The police chief gestured to all the loudspeakers in the office as well as the broken BATCHman blue box. “Ahhhh, not again. Must remember, outside not inside.” Quickly the Police chief guided him to the workstation “We’re locked out of Active Directory! Only one good account! Need to get in! GUI slow! Ears hurt, too!” BATCHman thought for a moment. With Windows PowerShell, they could solve this easily. Nevertheless, they’d have to identify the locked-out accounts to make this quick. Quickly, he entered the Windows PowerShell console and loaded up the ActiveDirectory module.
IMPORT-MODULE ActiveDirectory Cmdlet looked over. “BATCHman, can we just pull up a user and have it show us whether they are locked out?” Enjoying his sidekick’s enthusiasm BATCHman noted, “Yes, it is possible using the Properties parameter, but the ActiveDirectory module has a far more powerful feature called SEARCH-ADACCOUNT. To find all users locked out in Active Directory, we type this.”
SEARCH-ADACCOUNT –lockedout “But, Cmdlet, if we need to make this go faster and unlock only the computers in a particular organizational unit or OU, we can specify parameters such as –searchbase.”
SEARCH-ADACCOUNT –searchbase ‘OU=Division31,OU=Locations,DC=Police,DC=Redmond,DC=Local’ –lockedout Now, we can just quickly UNLOCK all the accounts by piping the results into UNLOCK-ADACCOUNT.
SEARCH-ADACCOUNT –searchbase ‘OU=Division31,OU=Locations,DC=Police,DC=Redmond,DC=Local’ –lockedout | UNLOCK-ADACCOUNT Cmdlet blinked. One single line? “Holy Simple Simon, BATCHman! Windows PowerShell really is powerful!” “Yes, it is. Now, quickly have the police chief verify that his staff and he can get in.” The police chief logged in and verified all was well. “Thank you, BATCHman! You have saved the day! You’re our hero!” BATCHman covered his ears from the shouting. “You’re quite welcome good citizen.” Forgotten during all of this, Script Kitty looked up at BATCHman and purred, “Your outfit is purrrfectly delightful.” BATCHman looked over. “Yes, maybe someday you’ll learn about the power of good and of Windows PowerShell. Crime not only doesn’t pay, it has a far worse budget for cool costumes.” I want to thank Sean for another exciting episode of BATCHman. Join us tomorrow when The Scripting Wife learns about creating a profile for the Windows PowerShell console. I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy