Automatic Active Directory account unlock with PowerShell
The PowerShell script given below can be used to automatically unlock the Active Directory user accounts that have been locked out in an organization. ADSelfService Plus also offers an option which, when enabled, runs a scheduler at regular intervals to search for locked user accounts and automatically unlocks them. Here is a comparison between the automatic account unlock using PowerShell and ADSelfService Plus:
PowerShell
Search-ADAccount -Lockedout | Unlock-AdAccount
ADSelfService Plus
- Go to Configuration > Policy Configuration.
- Create a new policy.
- Once the information required to create the policy is provided, click on Advanced, navigate to the Automation tab and select the Automatically unlocks locked-down accounts in your domain checkbox.
- Specify the Frequency at which the scheduler should be run.Click OK and in the Policy Configuration section, click Save.
- Quick configuration:
With ADSelfService Plus, account unlock can be enabled by entering minimal information. The above PowerShell script can unlock all locked user accounts at once, but running a scheduler that finds and unlocks locked out user accounts needs creating extremely extensive scripts.
- Secure management of data:
In ADSelfService Plus, sensitive information like the user's credentials are not stored anywhere, unlike the above PowerShell script which requires storing the user's credentials in the script.
- Choose users' whose accounts can be automatically unlocked:
In ADSelfService Plus administrators can specify the users belonging to specific domain, OUs, and groups whose users to have their accounts automatically unlocked upon getting locked out. Using PowerShell to automate account unlocks for specific users will require creating and managing an extensive script.
- Automatically synchronize any changes to the user account with all domain controllers:
Once the user has been unlocked with ADSelfService Plus, the user's account status is automatically synchronized with all the domain controllers in the AD domain.
- Synchronize unlocks with integrated enterprise applications:
When users unlock their user accounts using ADSelfService Plus, their locked user accounts in enterprise applications integrated for password synchronization are automatically unlocked as well.
- Audit password reset and other actions:
With ADSelfService Plus, the automatic account unlocks, the self-service actions, enrollment, and identity verification are audited and can be accessed in the form of reports that can be generated with just a few clicks.
- Notify the admin:
Administrators can be notified through mail and SMS about the users password resets and other actions like account unlock, password change, and enrollment using ADSelfService Plus.