In this tutorial, I’ll show you how to quickly unlock AD User accounts with PowerShell.
I’ve included examples for unlocking a single user account and unlocking all locked users at once.
These PowerShell commands require the ActiveDirectory module to be installed. It’s best that you install the RSAT tools on the computer that you want to run these commands from. This will prevent the need to load the module everytime you need to run Active Directory related PowerShell commands.
Let’s jump right into some examples!
Unlock AD User by samAccountName with Powershell
Unlock-ADAccount -Identity samAccountName
The above command will unlock a single user by their samAccountName, this is the same value as the user’s logon name.
Let’s walk through an example.
A user Same Walker calls helpdesk and says he is locked out. To verify or see who is locked out you can run this command.
Search-ADAccount -lockedout | Select-Object Name, SamAccountName
This will list all locked accounts and display the user’s full name and SamAccount Name
You can see in the screenshot above that Sam Walker is locked out. Now to unlock this account I will run the command below using the SamAcountName
Unlock-ADAccount -Identity swalker
You can see in the screenshot below that the command returns nothing, it does this if the account is locked or not. So, unfortunately, this doesn’t really confirm it was unlocked.
The only thing you can do to confirm is to list the locked accounts again.
You can see when I run it again Sam Walker is no longer listed. It’s confirmed that I unlocked his account.
Unlock All AD Users with PowerShell
This command will search Active Directory for all locked accounts and automatically unlocked them all.
Tip: If you keep having repeated accounts locked out you should investigate why before unlocking them all. You can check out this how to guide for troubleshooting account lockouts and track down the source of lockout events.
Search-ADAccount -Lockedout | Unlock-AdAccount
In this example I have locked three accounts, I’ll use the Search-ADAccount command to list all the locked accounts.
Know to unlock all the accounts at once I just add | Unlock-AddAccount to the end of the search command, example screenshot below.
I’ll run Search-AdAccount -lockout again to confirm all the accounts where unlocked.
You can see above that no accounts are listed.
Again I would be cautious about unlocking all the user accounts at once. Accounts are locked out for a reason (multiple bad password attempts) so unless you know exactly whats going on be careful with this one.
Unlock All AD Users with Confirmation First
This command is the same as the previous example but it adds a confirmation for each account to unlock. This is helpful so you can unlock accounts in bulk but still confirm each one at a time.
Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm
Here is what this looks like
Try these commands out and let me know how they work by leaving a comment below.
Recommended Tool: SolarWinds Server & Application Monitor (SAM)
This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.