Everyone makes mistakes. Sometimes end users forget their passwords and lock themselves out of their Active Directory access. Administrators can unlock these accounts via the Windows GUI, but what if there was a quicker way.  The PowerShell Active Directory module can save administrators time in governing end users and can also provide automation if required.  This example will highlight how to unlock an end user account in minimal steps via PowerShell and the Active Directory module.  Let's get started.


    1. Open PowerShell in Administrative mode
      Run PowerShellRun PowerShell
    2. Run the following command to install the Active Directory module:
      Install-Module ActiveDirectory

      Or confirm the module is loaded using the following command:

      Get-Module ActiveDirectory

    3. With the Active Directory PowerShell module now installed, run the following command to display and confirm that the user is locked out:
      Get-ADUser -Identity 'ENTER USER NAME HERE' -Properties LockedOut | Select-Object Name,Lockedout

    4. Run the following command to unlock the user account:
      Unlock-ADAccount -Identity 'ENTER USER NAME HERE' 

    5. Run the following command again to confimr that the user's account has been unlocked:
      Get-ADUser -Identity 'ENTER USER NAME HERE' -Properties LockedOut | Select-Object Name,Lockedout
Occasional Visitor

Hi Anthony,


There's a few things in this post that'll probably cause a bit of confusion / errors:
The first step implies that you'll need to start PowerShell in an elevated prompt every time you want to do this, when in fact you really only need it to call Install-Module when not using the CurrentUser scope.
Aside from that, ActiveDirectory isn't actually available from any default repositories, and is part of the RSAT windows features, now you can activate those in any number of ways depending on where you're doing it from, the one most likely to be used is probably to import the ServerManager module and use its 

Add-WindowsFeature RSAT-AD-Powershell

Now you say to use Get-Module to make sure its imported, and even though the AD module actually implicitly imports when you use a command from it, this is sensible enough. The problem however, is that we've not yet imported it, so this command will just return nothing as it defaults to look at imported modules (Speaking of, you don't ever mention Import-Module in the post). 


Hi Shoisk,


Thank you for sharing.  Not everyone's scenario is the same and my plan was to share the baseline in terms of the solution itself.  This provides the opportunity for others, like yourself, to build upon and make this post better. 

Established Member

Search-ADAccount -LockedOut will list Locked AD Accounts.