{"id":12841,"date":"2011-08-31T00:01:00","date_gmt":"2011-08-31T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/08\/31\/use-powershell-to-find-locked-out-user-accounts\/"},"modified":"2011-08-31T00:01:00","modified_gmt":"2011-08-31T00:01:00","slug":"use-powershell-to-find-locked-out-user-accounts","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-find-locked-out-user-accounts\/","title":{"rendered":"Use PowerShell to Find Locked-Out User Accounts"},"content":{"rendered":"

Summary<\/strong>: Use a one-line Windows PowerShell command to find and unlock user accounts.<\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! I am trying to find users who are locked out. For example, I have a number of users who log on only occasionally. They constantly lock themselves out. I have seen some VBScripts to search for locked out user accounts, and even a Windows PowerShell script to accomplish the same thing, but I am wondering if there is an easier way to accomplish this task. Help, please!<\/p>\n

—CJ<\/p>\n

 <\/p>\n

\"Hey,Hello CJ,<\/p>\n

Microsoft Scripting Guy Ed Wilson here. One problem with going on vacation is that the vacation eventually ends. I keep thinking that if we could sell our house in Charlotte, North Carolina, I might like to move to Hawaii to live. Right now, though, very few houses are actually selling in Charlotte, so there is little hope of making that move. One cool thing about living in Hawaii is that it is a couple of hours later than Redmond, Washington (Redmond is -8 GMT and Hawaii is -10 GMT). (This means that the next time someone schedules a meeting for 4:00 P.M. on a Friday, it would be 2:00 P.M. for me instead of the normal 7:00 P.M. meetings I get these days.)<\/p>\n

CJ, I know exactly your predicament. You have users hiding in Active Directory Domain Services (AD DS) who are only occasional users. AD DS is essentially a database, and the old adage certainly applies: garbage in, garbage out. If a user cannot remember their password, the usefulness of network security diminishes rapidly. In addition, with the integration of directory services with messaging platforms, forgotten passwords can cause problems. However, when one has hundreds or thousands—or even hundreds of thousands of users—in Active Directory, finding a locked-out user can be as big of a challenge as finding the frogfish<\/a> in the picture I took during my last scuba diving trip to Kauai.<\/p>\n

\"Photo<\/a><\/p>\n

Note<\/b>   This is the third in a series of three posts about working with the ActiveDirectory<\/b> module. In the first post<\/a>, I discussed the RSAT tools and the Get-ADUser<\/b> cmdlet. In the second post<\/a>, I talked about installing the Active Directory management web service. For additional Active Directory and Windows PowerShell posts, refer to this collection<\/a> on the Hey, Scripting Guy! Blog.<\/p>\n

When using the Microsoft Active Directory cmdlets, locating locked-out users is a snap. In fact, the Search-ADAccount<\/b> cmdlet even has a lockedout<\/i> switch.<\/p>\n

The first thing to do is to import the ActiveDirectory<\/b> module by using the Import-Module<\/b> cmdlet. This command is shown here:<\/p>\n

Import-Module activedirectory<\/p>\n

Once the module is imported, use the Search-ADAccount<\/b> cmdlet with the lockedout <\/i>parameter. This command is shown here:<\/p>\n

Search-ADAccount –LockedOut<\/p>\n

Note<\/b>   Many network administrators who spend the majority of their time working with AD DS import the ActiveDirectory module via their Windows PowerShell profile. In this way, they never need to worry about first importing the module. I have an entire series of posts about working with profiles<\/a> that discusses how to create a profile, and what sort of things to add to it.<\/p>\n

The Search-ADAccount<\/b> command and the associated output are shown in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

I can unlock the locked-out user account as well, assuming I have permission. In the following figure, I attempt to unlock the user account with an account that is a normal user. And an error arises.<\/p>\n

Note<\/b>   People are often worried about Windows PowerShell from a security perspective. Windows PowerShell is only an application, and a user is not able to do anything that they do not have rights or permission to accomplish. This is a case in point.<\/p>\n

\"Image<\/a><\/p>\n

Because the myuser<\/b> account does not have administrator rights, I need to start Windows PowerShell with an account that has the ability to unlock a user account. To do this, I right-click the Windows PowerShell icon while pressing Shift. This allows me to click Run as different user<\/b> in the shortcut menu. This produces the dialog box shown in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

After I start Windows PowerShell again with an account that has rights to unlock users, I need to import the ActiveDirectory<\/b> module once again. I then check to ensure that I can still locate the locked-out user accounts. After I have proven to myself I can do that, I pipe the results of the Search-ADAccount<\/b> cmdlet to Unlock-ADAccount<\/b>. A quick check ensures I have unlocked all the locked-out accounts. The series of commands is shown here:<\/p>\n

import-module ActiveDirectory<\/p>\n

Search-ADAccount –LockedOut<\/p>\n

Search-ADAccount -LockedOut | Unlock-ADAccount<\/p>\n

Search-ADAccount –LockedOut<\/p>\n

 <\/p>\n

The commands and associated output are shown in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

Note<\/b>   Keep in mind that the command Search-ADAccount -LockedOut | Unlock-ADAccount<\/b> will unlock every account that you have permission to unlock. In most cases, you will want to investigate before unlocking all locked-out accounts. If you do not want to unlock all locked-out accounts, use the confirm<\/i> switch to be prompted before unlocking an account.<\/p>\n

If I do not want to unlock all users, I user the confirm <\/i>parameter from the Unlock-ADAccount<\/b> cmdlet. As an example, I first check to see which users are locked out by using the Search-ADAccount<\/b> cmdlet, but I do not want to see everything, only their names. Next, I pipe the locked-out users to the Unlock-ADAccount<\/b> cmdlet with the confirm <\/i>parameter. I am then prompted for each of the three locked-out users. I choose to unlock the first and third users, but not the second user. I then use the Search-ADAccount<\/b> cmdlet one last time to ensure that the second user is still locked out. The following figure illustrates this technique.<\/p>\n

\"Image<\/a><\/p>\n

CJ, that is all there is to finding and unlocking users in Active Directory by using the Microsoft ActiveDirectory<\/b> module. I invite you back tomorrow when I will make a historic announcement. It is good, so check back. You will be glad you did.<\/p>\n

 <\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Use a one-line Windows PowerShell command to find and unlock user accounts.   Hey, Scripting Guy! I am trying to find users who are locked out. For example, I have a number of users who log on only occasionally. They constantly lock themselves out. I have seen some VBScripts to search for locked out […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,20,45],"class_list":["post-12841","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Use a one-line Windows PowerShell command to find and unlock user accounts.   Hey, Scripting Guy! I am trying to find users who are locked out. For example, I have a number of users who log on only occasionally. They constantly lock themselves out. I have seen some VBScripts to search for locked out […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=12841"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12841\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=12841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=12841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=12841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}