Re: unlock user accounts en masse

---

• From: "Richard Mueller [MVP]" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 24 May 2005 21:55:59 -0500

---

Sam B. wrote:

> I've seen the syntax on unlocking a user account, but is there a way to
> enumerate the list of users in a given container/OU and then incrementally
> unlock the accounts? I've done some digging around and haven't found
pieces
> that I could get to work together.
>
> If it's not possible, I'd like to know that, too.
>
Hi,

Determining if an account is locked out with the LDAP provider is not
simple. I have a sample program to find out if a given user is locked out,
and then allow the user to unlock the account linked here:

http://www.rlmueller.net/IsUserLocked.htm

To check all users in a container/OU, it is actually easier to use the WinNT
provider. For example, here is a sample program to document all accounts
that are locked out:

http://www.rlmueller.net/LockedUsers.htm

The relevant code is:

' Find locked out user accounts in domain.
Set objDomain = GetObject("WinNT://" & strNetBIOSDomain)
objDomain.Filter = Array("user")
For Each objWinNTUser In objDomain
If objWinNTUser.IsAccountLocked = True Then
' Do something.
End If
Next

This could be modified to unlock the accounts. However, because WinNT is
blind to any AD hierarchy, it cannot recognize OU's. I would suggest for
each user found to be locked out to use the NameTranslate object to convert
the NT name (sAMAccountName, which is objWinNTUser.Name above) to the
distinguishedName, and from that determine the parent object (container or
OU).

The NameTranslate object is documented here:

http://www.rlmueller.net/NameTranslateFAQ.htm

Note, the IsAccountLocked method exposed by the LDAP provider does not work.
You might want to use a program that lists all locked out users, then code
another program to read the list and unlock the accounts. This gives you the
opportunity to review the list. I hope this helps.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--


.

---

• References:
  • unlock user accounts en masse
    • From: Sam B.

• Prev by Date: Invalid syntax on moving users between OUs
• Next by Date: Re: 250 users in an OU. Ineed to know what login scripts they are usin
• Previous by thread: unlock user accounts en masse
• Next by thread: RE: unlock user accounts en masse
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Remote password change/account unlock ... Allowing users to change or reset their passwords or unlock their accounts ... There are security implications to having a service running as ... (microsoft.public.win2000.security) Re: How 2 confirm delegation? ... How are you trying to unlock and/or reset accounts? ... > delegated control of a group to this new security group ... (microsoft.public.exchange2000.active.directory.integration) Re: Account lockouts ... Not sure why you didn't find the lockouts in your logs. ... look at the free windows tools and look for unlock. ... quickly give you a list of all locked out accounts in a domain, ... > the outlook address book and attempts to log on to active directory. ... (microsoft.public.windows.server.active_directory) Re: Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gra ... > I need to allow helpdesk to 'unlock' accounts under a certain OU. ... > then click Delegate Control from the menu that is displayed. ... The Delegation of Control Wizard should be displayed. ... (microsoft.public.win2000.active_directory) OT: Dealing with a Cyber Stalker ... we've incercepted messages from other lists claiming she is ... having our accounts shut down. ... Then we receive notices from e-bay saying we've been reported as ... matter * if* we'll pay a retainer of $5000 or more. ... (misc.transport.road)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2005-05