4

Just a quick question. I need to be able to unlock user accounts from the command line, NOT using NET USER loginname /DOMAIN /ACTIVE:YES

This is because our corporation lives across 4 domains, and the NET command is tied to the computer domain, with no way to specify alternative domains. Also, using ADUC is not an option for this specific case.

Basically, does DSMOD USER userDN -disabled no actually unlock an account? I can test this on Thursday, but wanted to know if I had to get in early to script the solution instead.

Cheers

Izzy
  • 8,224
  • 2
  • 31
  • 35

6 Answers6

7

The answer is Yes.

dsmod user userDN -disabled no

This does unlock an account.

Izzy
  • 8,224
  • 2
  • 31
  • 35
4

You can do an unlock/password Reset by SAM Name using this:

dsquery user domainroot -samid %username%|dsmod user -disabled no -pwd %newpass% -mustchpwd yes
Joey
  • 41
  • 1
3

Unlock from joeware will do exactly this, as well as reporting currently locked accounts

benPearce
  • 321
  • 5
  • 11
  • 2
    Ideally I'd like to use native tools - adding 3rd party executables into the equation if it can be done with native tools doesn't really tie in with Best Practices – Izzy Jul 01 '09 at 03:49
  • 1
    Dude, it's joeware though! *smile* (Yeah-- having to use 3rd party tools is fairly annoying, though.) – Evan Anderson Jul 01 '09 at 03:56
  • So what if it is third-party. It does the job quickly and easily. I have used joeware tools to automate admin tasks and it has worked really well. – benPearce Jul 01 '09 at 04:35
  • I operate in an extremely tight, cSOX throttled, 8 audits a year corporate environment. The paperwork I have to put in to get this approved just isn't worth it :) I could, probably will have to, script this out in VBS in no time on Thursday - was just hoping to use native tools. PS. I'm actually a developer too - I had to be, because it's easier to write my OWN tools and executables, than it is to get 3rd party tools through the approval process. Insane eh? That's the Oil/Gas/Coal/Energy industry for you – Izzy Jul 01 '09 at 15:23
  • I can see your point, sucks though! Stupid thing is that probably no one is auditing your code so it is a bit of a half-arsed approach from the auditing perspective. You could rename the tools to iexplore.exe :-) – benPearce Jul 01 '09 at 22:08
  • Very true - and I know this because I put the most outrageous comments in my code - and I`ve never heard a peep out of anyone! But if I write something malicious they know who I am, and they know where I live. And where my family lives! ;) – Izzy Jul 01 '09 at 23:07
  • @Izzy You should also check out the Microsoft Technet Script Center Repository. Lots of good stuff in there. (If you search for "gwaldo", it'll pull up the code I've published in there. Some could use a cleaning, but they solve problems...) – gWaldo Feb 08 '11 at 13:33
2

If you're able to use vbscript, this should do the trick:

Set objUser = GetObject ("LDAP://cn=user,ou=OrganisationalUnit,dc=test,dc=com")
objUser.IsAccountLocked = False
objUser.SetInfo

Ehtyar.

Ehtyar
  • 802
  • 6
  • 14
  • That's the scripting route I was going to go down, but was hoping to go down the DSMOD route. – Izzy Jul 01 '09 at 03:46
  • I also had trouble finding anything on the dsmod route during my searches. I found this whilst frantically trying to find something that might make up for my earlier screw-up. I have a tendency to favor script based solutions myself because you not only see exactly how it works, but you can modify it and include it in other scripting endevours later, but that's just me. – Ehtyar Jul 01 '09 at 05:57
  • I'll test the "DSMOD -disabled no" on Thursday and see what happens. I have no problem scripting or coding by the way :) – Izzy Jul 01 '09 at 15:25
2

The answer by @Akshi (which received a negative vote unfairly) should be the correct one - account disabled and LockedOut are two different things.

Admins with the proper rights can Disable an account, using the wrong password too many times will Lock your account.

Using Get-ADUser %username% -prop LockedOut in Power-Shell you can see the Enabled and the LockedOut attributes.

dsmod user userDN -disabled no requires elevated admin privileges to work in most system setups, and I'm not sure it will unlock the account, I couldn't test it.

Unlock-ADaccount username will work for most users with basic admin rights - worked for me.

RBA
  • 121
  • 1
-1

i think you should use that command Unlock-ADaccount username

hopefully this will help you

Akshi
  • 1