Related features:

Related Powershell Guides:

  • Home
  • PowerShell
  • Automatic Active Directory account unlock with PowerShell

Automatic Active Directory account unlock with PowerShell

The PowerShell script given below can be used to automatically unlock the Active Directory user accounts that have been locked out in an organization. ADSelfService Plus also offers an option which, when enabled, runs a scheduler at regular intervals to search for locked user accounts and automatically unlocks them. Here is a comparison between the automatic account unlock using PowerShell and ADSelfService Plus:

With PowerShell

Run this PowerShell script to unlock all the locked accounts in the organization:

Search-ADAccount -Lockedout | Unlock-AdAccount
With ADSelfService Plus

In ADSelfService Plus:

  • Go to Configuration > Policy Configuration.
  • Create a new policy.
  • Once the information required to create the policy is provided, click on Advanced, navigate to the Automation tab and select the Automatically unlocks locked-down accounts in your domain checkbox.
  • Specify the Frequency at which the scheduler should be run.Click OK and in the Policy Configuration section, click Save.
    Steps to configure automatic AD account unlock using ADSelfService Plus

Advantages of ADSelfService Plus

  • Quick configuration: With ADSelfService Plus, account unlock can be enabled by entering minimal information. The above PowerShell script can unlock all locked user accounts at once, but running a scheduler that finds and unlocks locked out user accounts needs creating extremely extensive scripts.
  • Secure management of data: In ADSelfService Plus, sensitive information like the user's credentials are not stored anywhere, unlike the above PowerShell script which requires storing the user's credentials in the script.
  • Choose users' whose accounts can be automatically unlocked: In ADSelfService Plus administrators can specify the users belonging to specific domain, OUs, and groups whose users to have their accounts automatically unlocked upon getting locked out. Using PowerShell to automate account unlocks for specific users will require creating and managing an extensive script.
  • Automatically synchronize any changes to the user account with all domain controllers: Once the user has been unlocked with ADSelfService Plus, the user's account status is automatically synchronized with all the domain controllers in the AD domain.
  • Synchronize unlocks with integrated enterprise applications: When users unlock their user accounts using ADSelfService Plus, their locked user accounts in enterprise applications integrated for password synchronization are automatically unlocked as well.
  • Audit password reset and other actions: With ADSelfService Plus, the automatic account unlocks, the self-service actions, enrollment, and identity verification are audited and can be accessed in the form of reports that can be generated with just a few clicks.
  • Notify the admin: Administrators can be notified through mail and SMS about the users password resets and other actions like account unlock, password change, and enrollment using ADSelfService Plus.

Unlocking AD accounts automatically using PowerShell

Step 1: Identify locked accounts

Retrieve a list of locked-out AD accounts.

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName

Step 2: Unlock specific AD accounts

To manually unlock a specific user account using their SamAccountName, run the script below by replacing "johndoe" with the actual username.

Unlock-ADAccount -Identity "johndoe"

Step 3: Unlock all locked accounts

To unlock all locked accounts in the domain, run the script below.

To unlock all locked accounts in the domain, run the script below.

Step 4: Automate the unlock process with a scheduled task

To automatically unlock accounts every hour, save the script below as UnlockAccounts.ps1.

Search-ADAccount -LockedOut | Unlock-ADAccount

After this, create a scheduled task to run it periodically. This schedules the script to run at midnight daily, but you can modify it as needed.

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\UnlockAccounts.ps1" $Trigger = New-ScheduledTaskTrigger -Daily -At 12:00AM Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "AutoUnlockADAccounts" -Description "Automatically unlocks AD accounts"

FAQs

1. How do I manually unlock a user’s AD account?

Unlock a user’s AD account using the script below.

Unlock-ADAccount -Identity username

2. Can I unlock all locked-out users at once?

Yes, run the script below to unlock all locked-out users at once.

Search-ADAccount -LockedOut | Unlock-ADAccount

3. How can I automate account unlocks?

Schedule the unlock script to run periodically via Task Scheduler.

Automatically unlock Active Directory users' accounts

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link