September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.8. Unlocking a User
Problem
You want to unlock a locked out user.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results, right-click on the user and select Unlock.
Click OK.
Using VBScript
' This code unlocks a locked user. ' ------ SCRIPT CONFIGURATION ------ strUsername = "<UserName>" ' e.g. jsmith strDomain = "<NetBiosDomainName>" ' e.g. RALLENCORP ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername) if objUser.IsAccountLocked = TRUE then objUser.IsAccountLocked = FALSE objUser.SetInfo WScript.Echo "Account unlocked" else WScript.Echo "Account not locked" end if
Discussion
If you’ve enabled account lockouts in a domain (see Recipe 6.11), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because a user mistypes his password a number of times, or he changes his password and does not log off and log on again, or has mapped drives.
You can use ADSI’s
IADsUser::IsAccountLocked method to determine if a
user is locked out. You can set IsAccountLocked to
FALSE to unlock a user. Unfortunately, there is a bug with the LDAP
provider version of this method so you have to use the WinNT provider
instead. See MS KB 250873 for more information on this bug.