cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PowerShell Basics: How To Unlock A User In Active Directory via PowerShell
By
Anthony Bartolo
Published Sep 19 2019 12:01 AM 19.6K Views
Anthony Bartolo
Microsoft
‎Sep 19 2019 12:01 AM

PowerShell Basics: How To Unlock A User In Active Directory via PowerShell

‎Sep 19 2019 12:01 AM

Everyone makes mistakes. Sometimes end users forget their passwords and lock themselves out of their Active Directory access. Administrators can unlock these accounts via the Windows GUI, but what if there was a quicker way.  The PowerShell Active Directory module can save administrators time in governing end users and can also provide automation if required.  This example will highlight how to unlock an end user account in minimal steps via PowerShell and the Active Directory module.  Let's get started.

 

    1. Open PowerShell in Administrative mode
       
      Run PowerShellRun PowerShell
       
    2. Run the following command to install the Active Directory module:
        
      Install-Module ActiveDirectory


      Or confirm the module is loaded using the following command:

      Get-Module ActiveDirectory



    3. With the Active Directory PowerShell module now installed, run the following command to display and confirm that the user is locked out:
        
      Get-ADUser -Identity 'ENTER USER NAME HERE' -Properties LockedOut | Select-Object Name,Lockedout


    4. Run the following command to unlock the user account:
        
      Unlock-ADAccount -Identity 'ENTER USER NAME HERE'
       

    5. Run the following command again to confimr that the user's account has been unlocked:
        
      Get-ADUser -Identity 'ENTER USER NAME HERE' -Properties LockedOut | Select-Object Name,Lockedout

 

3 Comments
Shoisk
Copper Contributor
‎Sep 20 2019 04:02 AM
‎Sep 20 2019 04:02 AM

Hi Anthony,

 

There's a few things in this post that'll probably cause a bit of confusion / errors:
The first step implies that you'll need to start PowerShell in an elevated prompt every time you want to do this, when in fact you really only need it to call Install-Module when not using the CurrentUser scope.
Aside from that, ActiveDirectory isn't actually available from any default repositories, and is part of the RSAT windows features, now you can activate those in any number of ways depending on where you're doing it from, the one most likely to be used is probably to import the ServerManager module and use its 

Add-WindowsFeature RSAT-AD-Powershell

Now you say to use Get-Module to make sure its imported, and even though the AD module actually implicitly imports when you use a command from it, this is sensible enough. The problem however, is that we've not yet imported it, so this command will just return nothing as it defaults to look at imported modules (Speaking of, you don't ever mention Import-Module in the post). 

0 Likes
Like
Anthony Bartolo
Microsoft
‎Sep 20 2019 04:09 AM
‎Sep 20 2019 04:09 AM

Hi Shoisk,

 

Thank you for sharing.  Not everyone's scenario is the same and my plan was to share the baseline in terms of the solution itself.  This provides the opportunity for others, like yourself, to build upon and make this post better. 

0 Likes
Like
Wullie_Buntin
Copper Contributor
‎Sep 21 2019 12:00 AM
‎Sep 21 2019 12:00 AM

Search-ADAccount -LockedOut will list Locked AD Accounts.

 

Co-Authors
Version history
Last update:
‎Apr 27 2021 07:31 AM
Updated by: