Use PowerShell to Find and Unlock Users in Active Directory

Summary: PowerShell MVP, Sean Kearney, shows how to use Windows PowerShell to find and unlock users in AD DS.

Microsoft Scripting Guy, Ed Wilson, is here. Today I am happy to announce that Honorary Scripting Guy and Microsoft PowerShell MVP, Sean Kearney, is back. This week will be Windows PowerShell in Blueville. Take it away Sean.

Blueville, Inc. was a wonderful place,
Where each IT worker has scripted a pace,
The management of actions, the flowing of work
Made each member function with nary a quirk.

But up in the tower, a mouse at his hands,
Was poor Mr. Finch surveying the lands,
All day with the GUI he stumbled so slow,
Not so productive, his output was low.

But in Blueville, the workers, we’ll call them the Blues
Were dancing and happy, with all of the news
Of a magical system, and from Monad it came,
Called PowerShell you see, such a wonderful name.

Mr. Finch spent each and every day a clicking and grunting,
Each moment you see, on the screen he was hunting.
He looked down from his office, his fingers were drumming,
Deep in his mind, his thoughts were a humming.

“Why are they so happy?” he wondered aloud.
”Why are the Blues smiling?” his thoughts in the cloud.
He watched as they worked with smiles in their eyes,
Their shiny Blue teeth raised to the skies.

Mr. Finch clicked Pause on the Seuss-RhymeOMatic and got up from his chair. He was having a difficult time. Over and over, the words ran through his head.

“…I have a problem that is giving a pain,
A riddling problem that is nagging my brain,
I have a division that is driving me dilly,
The users get locked out daily, it’s making me silly.
They get locked out in twos, and even in bunches.
They lock themselves out while chomping on lunches.
Please give me a way, please do it now
To stop all this madness, please show me how…”

Constantly unlocking accounts for a particular division in Active Directory…what a dilemma. Constantly pulling up the username, clearing the box, going back in for the next one a few moments later. It was driving him goofy.

Those words echoed in his head. He had thousands of happy Blue workers in Blueville, Inc. If only he had learned VBScript script long ago. But it seemed so hard. He decided to take a walk to see the Blues. Sometimes talking things out gave him ideas…always a good way to go.

A little Blue was humming away. It was Stu. Stu Blue. Stu was happily smiling at a screen of Blue and unlocking a user.

Mr. Finch looked on at Stu and queried him too.

”How is it Mister Stu? How is it to work so happily upon that screen of Blue?”

Stu looked up at Mr. Finch and smiled away. “It is PowerShell Mr. Finch, a system that speeds up my day.”

Mr. Finch had heard of PowerShell—from Mount Monad it came, but it was a scripting solution, and all were the same.

Stu looked up and noticed the RhymeOMatic light was on, and quickly hit Pause.

“Thanks! That rhyming was driving me crazy. So I thought Windows PowerShell was another scripting solution? Isn’t it hard to learn?”

Stu thought for a moment. “I never thought about that because I don’t think I learned Windows PowerShell. I just use one or two cmdlets daily. I unlock users.”

This sounded like the person to help. “How hard is it to unlock an account with Windows PowerShell, Stu Blue?”

“I simply key in the cmdlet called Unlock-AddAccount, and the SAM account name of a user, like this.”

Unlock-AddAccount ‘John.Smith’

“And of course, it’s never just one user, sometimes it’s an entire division from Blueville, Inc. It tends to go all thumbs some days….”

Mr. Finch nodded. This sounded familiar, but it must involve scripting. Mr. Finch watched.

“If I need to unlock an entire division of silly people typing on their keyboard with their noses, I can just pull up the list in Active Directory with a Get-ADUser cmdlet like this.

GET-ADUSER –filter * –searchbase ‘CN=Legal,CN=Boston,DC=Blueville,DC=Local’

Mr. Finch watched an entire list of users flow by on the screen.

“Should I wish to unlock them all ‘carte blanche,’ I can simply pipe the content straight into the previous cmdlet like this.”

GET-ADUSER –filter * –searchbase ‘CN=Legal,CN=Boston,DC=Blueville,DC=Local’ | UNLOCK-ADACCOUNT

Mr. Finch looked over at Stu. “How did you learn how to work the cmdlets in Windows PowerShell?”

Stu looked up. “Within Windows PowerShell, there is a beautiful Help system. I key in Get-Help, the cmdlet name, and the Examples parameter. For example, the first time I wanted to learn how to use Unlock-ADAccount, I typed the following…”

GET-HELP UNLOCK-ADACCOUNT –examples

“…and it provided me with some good examples. I know they say you can script with Windows PowerShell, but I am only first-level support. I only use it for unlocking users and it suits me fine!”

Mr. Finch was impressed. He decided to return upstairs with this new knowledge. If basic use of Windows PowerShell was this easy, perhaps scripting wasn’t so hard.

And so Mr. Finch went back to floor two,
Went away to his computer to a screen of pure Blue.
That night PowerShell, he did open to play
And discover the wonder awaiting next day…

Thanks Sean. Please join us tomorrow for Part 2.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy