Answer: You bet there is! You can search and unlock AD accounts with a one line command. Let’s begin!
To start you will need to open PowerShell as an Administrator that has access to unlock accounts. Next, you will need to install the Active Directory Module
. On Windows Server
, this is already installed. If you install RSAT for Windows 10
it is also already installed. Otherwise, you can run the following command in PowerShell to install the module.
Import-Module ActiveDirectory
The Active Directory module for PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
Once the ActiveDirectory Module
is installed we can continue with the rest of the command. To find all AD accounts locked out type the following:
Search-ADAccount –LockedOut
Above will list all accounts locked out of Active Directory. This is a very nice, fast output of every account that is locked out. Now how do we manipulate this data? Yes that is right, this data alone is only part of the work involved. Now we need to manipulate this data and make the data work for us instead of the other way around.
What I like to do is throw this into a variable. Like below:
$locked = Search-ADAccount –LockedOut
Now the variable $locked
holds all of the data we want to see. All of the accounts that are locked out.
Now we can do a foreach off $locked
like so;
foreach ($l in $locked) { Write-Host $locked.Name is locked. }
That’s great and all, but how does this also unlock the account? This answer is rather simple. It doesn’t. The next line does that. Remember we want this data to work for us.
Search-ADAccount -LockedOut | Unlock-ADAccount
Let’s put it all together for you below.