Weekend Scripter: Active Directory Account Unlock Shortcut for Help Desk

Summary: Today’s post is a quick Windows PowerShell tip to save time for the Help Desk to unlock Active Directory accounts.

Microsoft Scripting Guy, Ed Wilson, is here. I was talking to Ashley the other day, and he was telling me about a cool tip he came up with that many of his customers had been using on a regular basis. Although the technique is rather basic, he said that the customers found it to be extremely valuable. I told him, “Well, why don’t you write up a quick post, and we will put it on the Hey, Scripting Guy! Blog.” Today’s post is a result of that conversation.

Ashley McGlone is a premier field engineer (PFE) for Microsoft. He started writing code on a Commodore VIC20 in 1982, and he has been hooked ever since. Today he specializes in Active Directory and Windows PowerShell, helping Microsoft Premier Customers reach their full potential through risk assessments and workshops. Ashley’s favorite workshop to teach is Windows PowerShell Essentials, and his TechNet blog focuses on real-world solutions for Active Directory by using Windows PowerShell.

Blog: http://blogs.technet.com/b/ashleymcglone
Twitter: @GoateePFE

I was teaching a Windows PowerShell class last week, and my favorite part is always the last afternoon when I help students start their own scripts. One student asked if there is a way to put a shortcut on the desktop for the Help Desk staff to unlock Active Directory accounts. I said, “Sure! This sounds like fun.” In only a couple minutes, we crafted this quick batch command that launches Windows PowerShell, loads the Active Directory module, prompts for the account name, and then unlocks it. Essentially, it is one wrapped line of code (not counting the “echo off”), as shown here:

@echo off
powershell.exe -Command “& {Import-Module ActiveDirectory; Read-Host “Enter the user account to unlock” | Unlock-ADAccount}”

Image of command output

Then another student asked if we could prompt for credentials in case they needed to use a different account to perform the unlock. That was a quick edit to add the -Credential parameter with a prompt for creds.

@echo off
powershell.exe -Command “& {Import-Module ActiveDirectory; Read-Host “Enter the user account to unlock” | Unlock-ADAccount -Credential $(Get-Credential)}”

Image of command output

Follow these steps to create your quick unlock shortcut:

  • Create an empty BAT file on your desktop.
  • Paste the previous script.
  • Save.
  • Double-click.
  • That’s it!

Note   This requires a workstation running Windows 7 with the RSAT installed and the Active Directory cmdlet feature enabled. Also, you must be running Active Directory Web Services on at least one domain controller. You can find instructions for RSAT and Active Directory Web Services in my blog Step-by-Step: How to use Active Directory PowerShell cmdlets against 2003 domain controllers.

The beauty of this shortcut involves calling Windows PowerShell.exe and passing in the script block. In the script block, notice that we use the semicolon for new lines, which enables us to wrap multiple lines into a single line.

I hope this saves you time with the Help Desk. If you would like some other time-saving tips for using Windows PowerShell for the Help Desk, see my blog How to close helpdesk tickets faster with PowerShell. P.S. If you would like to book a Windows PowerShell Essentials workshop with a Microsoft PFE, contact your premier technical account manager (TAM) for more information.

Enjoy!
~Ashley

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy