In this tutorial, I’ll show you how to quickly unlock AD User accounts with PowerShell.
I’ve included examples to unlock a single Active Directory user and how to unlock multiple user accounts. As an alternative to PowerShell, I’ll also show you a GUI tool to quickly unlock user accounts.
These PowerShell commands require the Active Directory module to be installed. It’s best that you install the RSAT tools on your computer. This will prevent the need to load the module every time you run Active Directory related PowerShell commands. You also need to update PowerShell to the latest version to ensure all the cmdlets are updated. Server 2012 has PowerShell 4 installed by default so make sure you update to version 5.1 or the new PowerShell core 7.
Let’s jump right into some examples!
Example 1. Unlock AD Account with PowerShell
In this first example, I’ll use PowerShell to unlock a single user using the account SamAccountName (aka logon name).
Step 1. Run the Unlock-ADAccount cmdlet
Unlock-ADAccount -Identity robert.allen
The above command will unlock the user “robert.allen”. Replace robert.allen with your user’s logon name.
Step 2. Verify Lockout Status
Get-ADUser robert.allen -Properties * | Select-Object LockedOut
The above command will check if the account is locked out.
That is all for example 1.
That was easy, right?
Related: How to Get AD Users Password Expiration Date
Example 2. Unlock AD Account with Confirmation
This command is the same as the previous example but it adds a confirmation for each account to unlock.
Unlock-AdAccount -identity alice.mills -Confirm
This will pop up a message to confirm the action.
Tip: If you have repeated accounts locked out you should investigate why before unlocking them all. You can check out this how to guide for troubleshooting account lockouts and tracking down the source of lockout events.
Example 3. Unlock All AD User Accounts with PowerShell
I don’t recommend this but you can find all locked users and unlock them with the command below. If a large number of accounts are locked out that should raise some concerns. You should investigate and look at the logs to ensure nothing suspicious is going on in your network.
Search-ADAccount -Lockedout | select-object Name, SamAccountName
In this example, I have locked three accounts, I’ll use the Search-ADAccount command to list all the locked accounts.
To unlock all the accounts at once I just add | Unlock-AddAccount to the end of the search command, example screenshot below.
I’ll run Search-AdAccount -lockout again to confirm all the accounts were unlocked.
You can see above that no accounts are listed.
Again I would be cautious about unlocking all the user accounts at once. Accounts are locked out for a reason (multiple bad password attempts) so unless you know exactly what’s going on be careful with this one.
You can also add the -confirm to this example to confirm each unlock.
Try these commands out and let me know how they work by leaving a comment below.
Example 4. Unlock AD Account with the AD Pro Toolkit
If you want an alternative to PowerShell then check out the AD Pro Toolkit. The toolkit contains several Active Directory Tools to help you simplify Active Directory management and reporting.
Step 1. Click “Check for locked users”
To display all locked users, click the “Check for locked users” button.
Step 2. Select and unlock the account
From the list of locked users select the account and click the “Unlock” button. You can also right click and unlock the account.
You can also reset passwords and use the troubleshot lockouts option to find the source of account lockouts.
The AD Pro Toolkit includes hundreds of Active Directory reports for users, computers, groups, and more. It also includes several tools to simplify user account management.
Click here to download a free trial of the AD Pro Toolkit.
The post was very useful and using your examples I was able to unlock an account that proved difficult using the standard GUI to unlock the account.
Nice post but how about adding in using a secondary l/p to run the command?
The options are there but an example would be better.
hi.
I have an issue with a user, his account gets locked. What I need is a couple of commands to check if an specific user gets locked, then unlock it and make it a permanent cycle while we identify the issue. Can we set a 30 second delay between each search/unlock query? Is it complicated?
AD is locking the account for a reason. Check to see if user’s password has recently changed and if user is logged in on another system with the old password.
Hi,
I thought I would try using -PassThru, to see if I can make a GUI to unlock accounts .
I am trying to use:
Seach-ADAccount -LockedOut | select name | Out-GridView -PassThru |Unlock-ADAccount
I get a list of licked account, but when I select one and Click OK I get this Error below.
I feel I am doing something very wrong, but am not sure what. CAn anyone help> 🙂
Error I get:
Unlock-ADAccount : The input object cannot be bound to any parameters for the command either because the command does
not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:86
+ … ew -PassThru | Unlock-ADAccount
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (@{name=sqladmin}:PSObject) [Unlock-ADAccount], ParameterBindingExcepti
on
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.UnlockADAccount
Hello, is there a way with this command “Search-ADAccount -Lockedout | Unlock-AdAccount”
to exclude few specific users? For exaple exclude user1, user2, user3 (not using confirm)?
Yes you can use the Where-Object cmdlet to filter objects from the pipeline.
This example will return all users that are not equal to user1.
Search-ADAccount -Lockedout | Unlock-AdAccount | where-object {$_.name -ne ‘user1’}
Here is a good overview on filtering objects https://docs.microsoft.com/en-us/powershell/scripting/samples/removing-objects-from-the-pipeline–where-object-?view=powershell-6
Good review. I do something similar but qualify so I only unlock Enabled accounts in AD (accounts are disabled for a reason typically).
search-adaccount -usersonly -lockedout | where {$_.Enabled -eq $true} | Unlock-ADAccount
I also extend this to prevent unlocking enabled but general accounts like “student” managed by help desk such as:
search-adaccount -usersonly -lockedout | where {$_.Enabled -eq $true} | where {$_.samAccountName -notlike “STUDENT*”} | Unlock-ADAccount
My next step will be to restrict this so the Powershell based GUI displays an unlock button for the groups I want the gui to manage.
More on GUIs at https://blogs.technet.microsoft.com/heyscriptingguy/2011/07/24/create-a-simple-graphical-interface-for-a-powershell-script/
All the best Larry
Filtering on enabled accounts is a good tip. Thanks Larry
many thanks Roberts, it helped me a lot. Luca
Luca,
No problem