Quickly Unlock AD User Accounts with PowerShell

In this tutorial, I’ll show you how to quickly unlock AD User accounts with PowerShell.

I’ve included examples for unlocking a single user account and unlocking all locked users at once.

These PowerShell commands require the ActiveDirectory module to be installed. It’s best that you install the RSAT tools on the computer that you want to run these commands from. This will prevent the need to load the module everytime you need to run Active Directory related PowerShell commands.

Let’s jump right into some examples!

Unlock AD User by samAccountName with Powershell

Unlock-ADAccount -Identity samAccountName

The above command will unlock a single user by their samAccountName, this is the same value as the user’s logon name.

Let’s walk through an example.

A user Same Walker calls helpdesk and says he is locked out. To verify or see who is locked out you can run this command.

Search-ADAccount -lockedout | Select-Object Name, SamAccountName

This will list all locked accounts and display the user’s full name and SamAccount Name

You can see in the screenshot above that Sam Walker is locked out. Now to unlock this account I will run the command below using the SamAcountName

Unlock-ADAccount -Identity swalker

You can see in the screenshot below that the command returns nothing, it does this if the account is locked or not. So, unfortunately, this doesn’t really confirm it was unlocked.

The only thing you can do to confirm is to list the locked accounts again.

You can see when I run it again Sam Walker is no longer listed. It’s confirmed that I unlocked his account.

Unlock All AD Users with PowerShell

This command will search Active Directory for all locked accounts and automatically unlocked them all.

Tip: If you keep having repeated accounts locked out you should investigate why before unlocking them all. You can check out this how to guide for troubleshooting account lockouts and track down the source of lockout events.

Search-ADAccount -Lockedout | Unlock-AdAccount

In this example I have locked three accounts, I’ll use the Search-ADAccount command to list all the locked accounts.

Know to unlock all the accounts at once I just add | Unlock-AddAccount to the end of the search command, example screenshot below.

I’ll run Search-AdAccount -lockout again to confirm all the accounts where unlocked.

You can see above that no accounts are listed.

Again I would be cautious about unlocking all the user accounts at once. Accounts are locked out for a reason (multiple bad password attempts) so unless you know exactly whats going on be careful with this one.

Unlock All AD Users with Confirmation First

This command is the same as the previous example but it adds a confirmation for each account to unlock. This is helpful so you can unlock accounts in bulk but still confirm each one at a time.

Search-ADAccount -Lockedout | Unlock-AdAccount -Confirm

Here is what this looks like

Try these commands out and let me know how they work by leaving a comment below.

Related: How to Get AD Users Password Expiration Date

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

Leave a Comment