Unlock AD with Verification

I have been scouring the web looking for a script that will check, unlock, and verify lockedout status.
If the account is locked it will unlock the account and then verify that the account is unlocked.

$user = Read-Host "Enter Username" $status = Get-ADUser $user -Properties * | Select-Object LockedOut If ($status -match "False") {Write-Host 'Account is Unlocked'} ElseIf ($status -match 'True') {Unlock-ADAccount $user}

The above works for half of what i am looking for. I just am not sure how to get it to check again after it unlocks to verify the unlock was successful.

Hi Evi750ul,
Welcome to powershell.org forums. When you post code, error messages, sample data or console output format it as code, please.

Here you can read how that works: Guide to Posting Code.

You can go back and edit your existing post. You don’t have to create a new one. :wink:

Welcome to the forums.
When you post code, error messages, sample data or console output format it as code, please.

Here you can read how that works: Guide to Posting Code.

You can go back and edit your existing post. You don’t have to create a new one. :wink:

Thanks in advance.

To check a boolean you should not use -match with “false”. Try it this way.

$user = Read-Host 'Enter Username'
$status = Get-ADUser $user -Properties LockedOut | Select-Object LockedOut
If (-not $status.LockedOut) { 
    'Account is Unlocked'
}
else {
    Unlock-ADAccount $user
}

Why would you like to check again? Don’t you trust your code enough? :wink:
You could add the paramter -PassThru to your Unlock-ADAccount command and check its state if you need to.

Thanks. I can make those adjustments.
The bigger part is verifying that the unlock is successful.

I have created a fairly large tool for my team and have discovered not everyone on the team has the same levels of access. So I am trying to get this part of the tool to unlock account and then verify the account is unlocked.

This way the person using it knows if it worked of if they need to escalate to someone else with more access.

adding the passthru param is useful but it doesnt seem to include the Lockedout field

DistinguishedName : Enabled : GivenName : Name : ObjectClass : ObjectGUID : SamAccountName : SID : Surname : UserPrincipalName :

this is what is output. I cleared out the company data but the locked out field isnt included.
I am new to the passthru so is there more to it than just adding it?

You could just use a try/catch. If it doesn’t catch an error, it succeeded. Don’t forget -ErrorAction stop or $erroractionpreference = ‘stop’ just in case.

2 Likes

that works perfectly for what i am trying to accomplish. even added a finally statement so that the locked state is displayed.
Thank you both for the help.
End result of the code i am tossing in the menu, just in case i missed anything.

$user = Read-Host "`t`tEnter OUN"
    try {Unlock-ADAccount $user}
    Catch {"Insufficient access rights to unlock this account"}
    Finally {Get-ADUser $user -Properties * | Select-Object LockedOut}

So i used the try/catch and it works when I use it without a variable. Once i add the variable it seems to not actually run and no errors are provided.

To work properly “try/catch” needs a terminating error. If the cmdlet you’re using does not raise a terminating error by default you have to force it by using the common parameter “-ErrorAction stop

I cannot check at the moment but I’d try it this way:

try {Unlock-ADAccount $user -ErrorAction stop}

I added the param -erroraction as suggested.
The command seems to run, no errors, but the Finally does not seem to be hit.
It seems like it Tries the unlock, no error so it stops but this is only when using a variable.
i will try to add the whole submenu structure of the script.

Well…I found out what happened.
In copying the submenu and removing company information…I found that there was an extra character in my Finally block…removed it and now it is working as I want it to.