Unlock AD accounts with PowerShell

• Author
• Recent Posts

Surender Kumar

Surender Kumar has more than twelve years of experience in server and network administration. His fields of interest are Windows Servers, Active Directory, PowerShell, web servers, networking, Linux, virtualization, and penetration testing. He loves writing for his blog.

Latest posts by Surender Kumar (see all)

• Proxmox Backup Server: Install and configure - Fri, May 19 2023
• Using Docker with NAS and NFS - Mon, May 15 2023
• Create a Proxmox cluster - Fri, May 5 2023

Prerequisites

• A domain-joined computer running Professional or Enterprise edition of Windows 10 or Windows 11.
• Active Directory PowerShell module installed on the computer.

Install RSAT tools

The remote server administration tools (RSAT) help admins remotely manage Windows Server roles from a computer running Windows 10/11. RSAT is a large collection of admin tools used to manage most server roles. However, for the purpose of this post, we are only interested in the Active Directory (AD) PowerShell module.

To check whether the AD PowerShell module is installed, launch an elevated PowerShell console, and run the following command:

Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Select DisplayName, State

Checking whether the Active Directory PowerShell module is installed

If you see State = Installed, you're all set. If you see State = NotPresent, run the following command to install the module:

Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Add-WindowsCapability -Online

Installing the Active Directory PowerShell module

If you just installed the module, it is a good idea to run the Update-Help -Module ActiveDirectory -Force command to update the help files. Once you have the AD PowerShell module, you are ready to manage AD accounts remotely. To identify suitable cmdlets to work with AD accounts, use this command:

Get-Command -Noun ADAccount -Module ActiveDirectory

Finding the cmdlets related to ADAccount

As you can see in the screenshot, there are four cmdlets. The cmdlet verb gives a fair idea of what each command does. For this post, we will use only the Search-ADAccount and Unlock-ADAccount cmdlets.

Search-ADAccount cmdlet

The Search-ADAccount cmdlet allows you to search for AD accounts based on various criteria. If you take a look at the command help, you will notice that it can search accounts that are disabled, expired, expiring, inactive, locked out, and that have a password that expired or that never expires. For now, we are only interested in locked-out accounts. By default, the credentials of the currently logged-on user are used on the remote domain controller, but you can use the -Credential parameter to supply alternate credentials.

Viewing the help of the Search ADAccount cmdlet

Now, we can use the Search-ADAccount cmdlet, as shown below, to search for locked-out AD accounts:

Search-ADAccount -LockedOut -UsersOnly | Select Name, SamAccountName

Searching locked out AD user accounts with PowerShell

This command lists all AD users that are currently locked out.

Unlock-ADAccount cmdlet

The Unlock-ADAccount cmdlet can be used to unlock AD accounts. If you take a look at the help section, you will notice that it accepts the -Identity parameter, which allows you to specify the SAM account name, the security identifier (SID), the globally unique identifier (GUID), or the distinguished name. To unlock a user account named Jack, simply run the command, as shown below:

Unlock-ADAccount -Identity jack

Unlock a particular AD user account with PowerShell

The command above does not produce any output, but the user account is silently unlocked. You could specify the -PassThru parameter, but that won't exactly show the LockedOut property for that user. Use the Get-ADUser -Identity 'jack' -Properties LockedOut command to see the updated state of the LockedOut property.

Unlock multiple AD accounts

If you want to quickly unlock multiple AD accounts that are currently locked out, use the following command:

Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccount -Confirm

Unlock all the locked out AD users at once with PowerShell

Note that the -Confirm switch plays an important role here. It requires your confirmation for each account before unlocking it. This approach allows you to skip certain accounts that you don't want to unlock. If you omit the -Confirm parameter, PowerShell will unlock all the locked-out user accounts without any confirmation, which could be a really bad idea. The AD accounts are locked out for a reason; when incorrect password attempts exceed the maximum number allowed in the account lockout policy, the user account is locked out, and access to AD services is restricted. If you unlock all users without even thinking, it defeats the purpose of the lockout policy.

That was it for this post. You just learned how to unlock one or more AD user accounts with PowerShell.