6.8. Unlocking a User


You want to unlock a locked out user.


Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Type the name of the user beside Name and click Find Now.

  5. In the Search Results, right-click on the user and select Unlock.

  6. Click OK.

Using VBScript

' This code unlocks a locked user.
strUsername = "<UserName>"        ' e.g. jsmith
strDomain = "<NetBiosDomainName>" ' e.g. RALLENCORP
' ------ END CONFIGURATION ---------

set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername)
if objUser.IsAccountLocked = TRUE then
   objUser.IsAccountLocked = FALSE
   WScript.Echo "Account unlocked"
   WScript.Echo "Account not locked"
end if


If you’ve enabled account lockouts in a domain (see Recipe 6.11), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because a user mistypes his password a number of times, or he changes his password and does not log off and log on again, or has mapped drives.

You can use ADSI’s IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. Unfortunately, there is a bug with the LDAP provider version of this method so you have to use the WinNT provider instead. See MS KB 250873 for more information on this bug.

See Also ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.