Hi All,
I require assistance with modifying this script so that it also prompts me for a Users Account as opposed to searching for All Users.
Eg, my plan is I run this from others desks and enter in my admin account, and then enter in the suspected locked out account name so i can check if the account is locked out or not.
Is anyone able to assist with telling me what needs changing please:
If you’re just looking for a command that can unlock an AD account when given a user account I’d just use Unlock-ADAccount from the ActiveDirectory Module. If you need to run it under alternate credentials just create a credential object for your admin account.
Thanks so much for the prompt reply,
So if i don’t want to type in the domain each time, do i need to specify it or is it smart enough to pick it up from the logged in pc that I run the script from?, would I use something like this (at home so cant test now).
Should i run something like this on the pc of the user, any other “Preferred/More Efficient Solutions”.
Or is there a better way to do it from AD so that i don’t have to do on the users computer?
$cred = get-credential
$DCName = 'DC1'
$username = read-host "Enter username you want to unlock"
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
unlock-adaccount -identity $username -credential $cred
Just wondering, is this getting the win event from my computer, or the Domain controller of the End users computer?
By default unlock-adaccount (and most other AD cmdlets) will use your currently logged on domain. You can specify alternate domains with the -server parameter. There’s no reason to run it from the user’s PC. AD is centralized so you can run that cmdlet from your workstation just fine.
Thanks,
Interesting.
I was just thinking if i could run it from an end users desk, in scenarios where i may be at his/her desk already to save me remoting back to my pc. though i guess they would probably need to have the rsat tools installed on their machine for it to work.
Is anyone able to try out this script and let me know if it works, I don’t have access to a AD setup at home:
Also, is there a order constraint to how i put in the script, eg, if i ask for account expiration, bad password history etc, when i unlock the account, does it wipe the lastbadpassword attempt etc
Sorry for the flood of posts,
One more question please,
What would others normally do to see the results, ie, is preferred to put a PAUSE in the bottom of the script so you can see the results, or is it recommended to output to a temp text file/window etc?
Does one work quicker/more reliable than the other?
Thanks
Thanks,
THough only interested in unlocking the End-Users account as they come to me,
I need a ticket for every action i take for Audit Reasons (and to justify my job)
You could also set up a constrained endpoint on your computer or a management station if this is an option in your environment. You could then just run an invoke-command or enter-pssession from the client you’re at to your workstation using the configuration name you created. You can even specify alternate credentials for the endpoint to run the commands as. I use this in my environment when at another workstation to connect to a management station for AD tasks.