unlock ad accounts using powershell

In most cases, users forget their account password or mistypes it too many times and they lock themselves out of their accounts due to the Active Directory account lockout policy.

An Essential part of any system administrator or technician is to know how to unlock an Account (or multiple AD accounts) using a PowerShell.

With Active Directory GUI management tools, you can unlock only one user account at a time.

PowerShell tool comes in the picture when you need to deal or unlock multiple Active Directory accounts at once. With PowerShell, you can easily unlock one or more user account quickly and easily from the command line!

In this tutorial, we will show you how to unlock Active Directory user accounts with PowerShell.

Install Active Directory Module for PowerShell

Before starting, you will need to install the Active Directory module for PowerShell on your system.

First, open the PowerShell and run the following command to install the Active Directory module for PowerShell:

Add-WindowsFeature RSAT-AD-Powershell

Once installed, you should see the following output:

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             NoChangeNeeded {}

Example:

PowerShell uses the Unlock-ADAccount cmdlet to unlock user accounts in active directory.

It restores Active Directory Domain Services access for an account that is locked.

Run the following command for more information about the Unlock-ADAccount cmdlet:

Get-Help unlock-adaccount

You should see the following output:

Find Lockout Status Of Active Directory User Account

It is important to know which Active Directory user account is locked out as those users will eventually come to you for help or this could be a sign of an intrusion gone wrong.

You can see the lockout status of any user account with the Get-ADUser command.

For example, check the lockout status of the user hitesh and vyom by running the following command:

Get-ADUser -Identity 'hitesh' -Properties LockedOut | Select-Object Name,Lockedout

Or

Get-ADUser -Identity 'vyom' -Properties LockedOut | Select-Object Name,Lockedout

In the above screenshot, you should see that the lockout status of both user are False means the account is not locked.

Find All Lockout Active Directory User Accounts

To find all lockout Active Directory account, run the following command:

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

You should get the following output:

Name SamAccountName
---- --------------
jayesh jayesh
rajesh rajesh
mitesh mitesh

Now, lets Unlock the user account named jayesh by running the following command:

Unlock-ADAccount -Identity jayesh

Now, verify whether the user is unlocked or not with the following command:

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

You should get the following output:

Name SamAccountName
---- --------------
rajesh rajesh
mitesh mitesh

Example:

Unlock All Active Directory User Accounts

At this point, we found all the accounts in our AD that are locked.

You can unlock All User Accounts at the same time by running the following command:

Search-ADAccount -Lockedout | Unlock-AdAccount

You can verify whether all accounts are unlocked or not with the following command:

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

You can not see any output that means all user accounts are unlocked.

Example:

Ask Confirmation Before Unlocking All Active Directory User Accounts

It is a good idea to unlock the locked user accounts with confirmation so you can unlock only required user accounts.

First, find all locked user accounts with the following command:

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

Next, unlock all locked user accounts with confirmation by running the following command:

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm

You will be asked to confirm before unlocking all accounts.

You can type Y to confirm a single account and A to confirm all account as shown in the following screen:

Conclusion

As you have seen, PowerShell is a very powerful tool to perform Active Directory related operations very quickly. It helps system administrators to rapidly perform the Active Directory related tasks and has proven to be a necessary skill to learn as a network admin!

We hope this tutorial has helped you learn how to Unlock AD Accounts, both single users and multiple (bulk) users at once!

Leave a Reply

Your email address will not be published. Required fields are marked *