Quickly Unlock AD User Accounts with PowerShell

In this tutorial, I’ll show you how to quickly unlock AD User accounts with PowerShell.

I’ve included examples to unlock a single Active Directory user and how to unlock multiple user accounts. As an alternative to PowerShell, I’ll also show you a GUI tool to quickly unlock user accounts.

These PowerShell commands require the Active Directory module to be installed. It’s best that you install the RSAT tools on your computer. This will prevent the need to load the module every time you run Active Directory related PowerShell commands. You also need to update PowerShell to the latest version to ensure all the cmdlets are updated. Server 2012 has PowerShell 4 installed by default so make sure you update to version 5.1 or the new PowerShell core 7.

Let’s jump right into some examples!

Example 1. Unlock AD Account with PowerShell

In this first example, I’ll use PowerShell to unlock a single user using the account SamAccountName (aka logon name).

Step 1. Run the Unlock-ADAccount cmdlet

Unlock-ADAccount -Identity robert.allen

The above command will unlock the user “robert.allen”. Replace robert.allen with your user’s logon name.

Step 2. Verify Lockout Status

Get-ADUser robert.allen -Properties * | Select-Object LockedOut

The above command will check if the account is locked out.

That is all for example 1.

That was easy, right?

Example 2. Unlock AD Account with Confirmation

This command is the same as the previous example but it adds a confirmation for each account to unlock.

Unlock-AdAccount -identity alice.mills -Confirm

This will pop up a message to confirm the action.

Tip: If you have repeated accounts locked out you should investigate why before unlocking them all. You can check out this how to guide for troubleshooting account lockouts and tracking down the source of lockout events.

Example 3. Unlock All AD User Accounts with PowerShell

I don’t recommend this but you can find all locked users and unlock them with the command below. If a large number of accounts are locked out that should raise some concerns. You should investigate and look at the logs to ensure nothing suspicious is going on in your network.

Search-ADAccount -Lockedout | select-object Name, SamAccountName

In this example, I have locked three accounts, I’ll use the Search-ADAccount command to list all the locked accounts.

To unlock all the accounts at once I just add | Unlock-AddAccount to the end of the search command, example screenshot below.

I’ll run Search-AdAccount -lockout again to confirm all the accounts were unlocked.

You can see above that no accounts are listed.

Again I would be cautious about unlocking all the user accounts at once. Accounts are locked out for a reason (multiple bad password attempts) so unless you know exactly what’s going on be careful with this one.

You can also add the -confirm to this example to confirm each unlock.

Try these commands out and let me know how they work by leaving a comment below.

Example 4. Unlock AD Account with the AD Pro Toolkit

If you want an alternative to PowerShell then check out the User Unlock tool from the AD Pro Toolkit. With this tool, you can also reset passwords and find the source computer or the lockout.

Step 1: Open the Password Reset & Unlock Tool

Click here to download a free trial.

From the list of tools click on Password Reset.

Step 2: Click Check for Locked Users

When you click “Check for Locked Users” It will display the username, LockoutTime, Password last Set, UserPrincipalName, and DN.

Step 3: Right Click to Unlock

Right-click on any locked account and select unlock.

You will get a pop up letting you know the accounts of been unlocked.

You can also reset passwords and use the troubleshot lockouts option to find the source of account lockouts.

The AD Pro Toolkit includes hundreds of Active Directory reports for users, computers, groups, and more. It also includes several tools to simplify user account management.

Click here to download a free trial of the AD Pro Toolkit.

11 thoughts on “Quickly Unlock AD User Accounts with PowerShell”

Ashley Cooper

December 10, 2021 at 2:14 pm

The post was very useful and using your examples I was able to unlock an account that proved difficult using the standard GUI to unlock the account.
Myles Dugenfelder

February 10, 2021 at 12:50 pm

Nice post but how about adding in using a secondary l/p to run the command?
The options are there but an example would be better.
Matias Morante

September 22, 2020 at 2:30 am

hi.

I have an issue with a user, his account gets locked. What I need is a couple of commands to check if an specific user gets locked, then unlock it and make it a permanent cycle while we identify the issue. Can we set a 30 second delay between each search/unlock query? Is it complicated?
- Ray
  
  January 27, 2023 at 11:10 pm
  
  AD is locking the account for a reason. Check to see if user’s password has recently changed and if user is logged in on another system with the old password.
Richard Jones

July 24, 2020 at 8:56 am

Hi,
I thought I would try using -PassThru, to see if I can make a GUI to unlock accounts .
I am trying to use:
Seach-ADAccount -LockedOut | select name | Out-GridView -PassThru |Unlock-ADAccount
I get a list of licked account, but when I select one and Click OK I get this Error below.
I feel I am doing something very wrong, but am not sure what. CAn anyone help> 🙂

Error I get:
Unlock-ADAccount : The input object cannot be bound to any parameters for the command either because the command does
not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:86
+ … ew -PassThru | Unlock-ADAccount
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (@{name=sqladmin}:PSObject) [Unlock-ADAccount], ParameterBindingExcepti
on
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.UnlockADAccount
Erik

November 29, 2019 at 10:51 pm

Hello, is there a way with this command “Search-ADAccount -Lockedout | Unlock-AdAccount”
to exclude few specific users? For exaple exclude user1, user2, user3 (not using confirm)?
- Robert Allen
  
  December 26, 2019 at 2:27 pm
  
  Yes you can use the Where-Object cmdlet to filter objects from the pipeline.
  
  This example will return all users that are not equal to user1.
  
  Search-ADAccount -Lockedout | Unlock-AdAccount | where-object {$_.name -ne ‘user1’}
  
  Here is a good overview on filtering objects https://docs.microsoft.com/en-us/powershell/scripting/samples/removing-objects-from-the-pipeline–where-object-?view=powershell-6
Larry Timmins

April 25, 2019 at 4:46 pm

Good review. I do something similar but qualify so I only unlock Enabled accounts in AD (accounts are disabled for a reason typically).

search-adaccount -usersonly -lockedout | where {$_.Enabled -eq $true} | Unlock-ADAccount

I also extend this to prevent unlocking enabled but general accounts like “student” managed by help desk such as:

search-adaccount -usersonly -lockedout | where {$_.Enabled -eq $true} | where {$_.samAccountName -notlike “STUDENT*”} | Unlock-ADAccount

My next step will be to restrict this so the Powershell based GUI displays an unlock button for the groups I want the gui to manage.

More on GUIs at https://blogs.technet.microsoft.com/heyscriptingguy/2011/07/24/create-a-simple-graphical-interface-for-a-powershell-script/

All the best Larry
- Robert Allen
  
  May 2, 2019 at 11:37 pm
  
  Filtering on enabled accounts is a good tip. Thanks Larry
Luca

March 22, 2019 at 11:28 am

many thanks Roberts, it helped me a lot. Luca
- Robert Allen
  
  March 29, 2019 at 12:08 am
  
  Luca,
  
  No problem