PS Script to Unlock AD Users Account

Hi All,
I require assistance with modifying this script so that it also prompts me for a Users Account as opposed to searching for All Users.
Eg, my plan is I run this from others desks and enter in my admin account, and then enter in the suspected locked out account name so i can check if the account is locked out or not.

Is anyone able to assist with telling me what needs changing please:

#Requires -Version 3.0

[CmdletBinding()]
param (
    [ValidateNotNullOrEmpty()]
    [string]$DomainName = $env:USERDOMAIN,
    [ValidateNotNullOrEmpty()]
    [string]$UserName = "*",
    [ValidateNotNullOrEmpty()]
    [datetime]$StartTime = (Get-Date).AddDays(-3)
)
Invoke-Command -ComputerName (
    [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
        New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
    ).PdcRoleOwner.name
) {
    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
    Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
    Select-Object -Property TimeCreated,
        @{Label='UserName';Expression={$_.Properties[0].Value}},
        @{Label='ClientName';Expression={$_.Properties[1].Value}}
} -Credential (Get-Credential) |
Select-Object -Property TimeCreated, UserName, ClientName

If you’re just looking for a command that can unlock an AD account when given a user account I’d just use Unlock-ADAccount from the ActiveDirectory Module. If you need to run it under alternate credentials just create a credential object for your admin account.

$cred = get-credential
#enter admin account in credential dialog box
unlock-adaccount -identity joeuser -credential $cred

$cred = get-credential
$username = read-host "Enter username you want to unlock"
unlock-adaccount -identity $username -credential $cred

Thanks so much for the prompt reply,
So if i don’t want to type in the domain each time, do i need to specify it or is it smart enough to pick it up from the logged in pc that I run the script from?, would I use something like this (at home so cant test now).

Should i run something like this on the pc of the user, any other “Preferred/More Efficient Solutions”.
Or is there a better way to do it from AD so that i don’t have to do on the users computer?

$cred = get-credential
$DCName = 'DC1'
$username = read-host "Enter username you want to unlock"
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
unlock-adaccount -identity $username -credential $cred

Just wondering, is this getting the win event from my computer, or the Domain controller of the End users computer?

By default unlock-adaccount (and most other AD cmdlets) will use your currently logged on domain. You can specify alternate domains with the -server parameter. There’s no reason to run it from the user’s PC. AD is centralized so you can run that cmdlet from your workstation just fine.

Thanks,
Interesting.
I was just thinking if i could run it from an end users desk, in scenarios where i may be at his/her desk already to save me remoting back to my pc. though i guess they would probably need to have the rsat tools installed on their machine for it to work.

Is anyone able to try out this script and let me know if it works, I don’t have access to a AD setup at home:
Also, is there a order constraint to how i put in the script, eg, if i ask for account expiration, bad password history etc, when i unlock the account, does it wipe the lastbadpassword attempt etc

$X3Cred = get-credential
#$DCName = 'DC1'
$username = read-host "Enter username you want to unlock"
unlock-adaccount -identity $username -credential $X3Cred
get-aduser $userame-Properties badPwdCount
get-aduser $userame-Properties accountexpiratondate
#Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) < = 7200000]] and EventData[Data[@Name='TargetUserName']='$Username']]" | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

Sorry for the flood of posts,
One more question please,
What would others normally do to see the results, ie, is preferred to put a PAUSE in the bottom of the script so you can see the results, or is it recommended to output to a temp text file/window etc?
Does one work quicker/more reliable than the other?
Thanks

In an interactive script I would use the “Press Any Key to continue…” way.

You can try the following command unlock all locked out accounts.

Search-ADAccount -LockedOut | Unlock-ADAccount

You can filter the results from Search-ADAccount before piping it to Unlock-ADAccount. For example:

Search-ADAccount -LockedOut | Where {$_.samaccountname -eq “jdoe”} | Unlock-ADAccount

Additionally, you could also take a look at below given article which explains few common root causes of account lockouts and how to resolve them.

Thanks,
THough only interested in unlocking the End-Users account as they come to me,
I need a ticket for every action i take for Audit Reasons (and to justify my job)

You could also set up a constrained endpoint on your computer or a management station if this is an option in your environment. You could then just run an invoke-command or enter-pssession from the client you’re at to your workstation using the configuration name you created. You can even specify alternate credentials for the endpoint to run the commands as. I use this in my environment when at another workstation to connect to a management station for AD tasks.