Monday, 17 March 2014

VBScript to Unlock AD User Account

Description:

In this article, I am going write vbscript code to Unlcok active directory user account by asking account name from user and vbscript code to Unlock all the currently Locked Out AD users in Entire Domain and Specific OU.

Summary:


VBScript to Unlock AD User Account

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: UnlockADUser.vbs
3. Double-click the vbscript file (or Run this file from command window) to unlock active directory user.
4. Enter the user name to Unlock and click OK to proceed.

Unlock Currently Locked out Active Directory Users using VBScript

 Click to get vbscript source code as file Download UnlockADUser.vbs
' UnlockADUser.vbs
' Sample VBScript to Unlock Active Directory user .
' Author: http://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim strUserName,objUser

' Asks username from user to Unlock.
Do
   strUserName= InputBox ("Please enter user name")
   If strUserName= "" then
     Wscript.Echo "No user name entered"
   end if
Loop Until strUserName <> ""

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' Filter on user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(|(samaccountname="& strUserName &")(name="& strUserName &")))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

IF(adoRecordset.EOF<>True) Then
      Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 
   If objUser.IsAccountLocked = 0 Then
      Wscript.Echo "The User '" & strUserName & "' was already Unlocked."
   Else
    objUser.IsAccountLocked = 0
    objUser.SetInfo
     WScript.Echo "The user '"& strUserName &"' has been Unlocked successfully."
   End if

Else 
      WScript.Echo "No user found with the name '"& strUserName &"'"
 End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

VBScript to Unlock all the Locked Out User Accounts in Active Directory

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: UnLockAllADUsers.vbs
3. Double-click the VBScript file (or Run this file from command window) to Unlock all the Locked Out AD users.

Note: Just uncomment the below line in vbscript file if you want to see the user name who are getting unlocked
' WScript.Echo "The user '"& adoRecordset.Fields("samaccountname").value &"' Unlocked."
and Run script from Command prompt: C:\> CScript C:\Scripts\UnLockAllADUsers.vbs


VBScript Unlock Currently Locked out AD User Accounts in VBScript

 Click to get vbscript source code as a file Download UnLockAllADUsers.vbs
' UnLockAllADUsers.vbs
' Sample VBScript to Find and Unlock all the Currently Locked Out AD users.
' Author: http://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit

' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes,objUser
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim count_unlockedUsers

count_unlockedUsers = 0

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 

' Filter to list locked out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

  Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 

  If objUser.IsAccountLocked <> 0 Then
     objUser.IsAccountLocked = 0
     objUser.SetInfo
   count_unlockedUsers =count_unlockedUsers +1
 ' Just uncomment the below line if you want to see the user name who are getting unlocked
 ' and Run script from Command prompt: C:\> CScript C:\Scripts\UnLockAllADUsers.vbs
    ' WScript.Echo "The user '"& adoRecordset.Fields("samaccountname").value &"' Unlocked."
   End if

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

IF count_unlockedUsers = 0 Then
    WScript.Echo "No Locked Out AD User Accounts found."
Else
   WScript.Echo "Active Directory User Account(s) Unlocked successfully"& vbCrLf  _ 
   & "No Of Users: "&count_unlockedUsers
End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

VBScript to Unlock AD User Account From Specific 

1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Change the value for 'varBaseDN' into your own OU's DN .
3. Save the file with a .vbs extension, for example: UnLockADUsersFromOU.vbs
4. Double-click the vbscript file (or Run this file from command window) to unlock locked out AD users From Specific OU.

 Click to get vbscript source code as a file Download UnLockADUsersFromOU.vbs
' UnLockADUsersFromOU.vbs
' Sample VBScript to Find and Unlock all the Locked Out AD users From specific OU.
' Author: http://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit

' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes,objUser
Dim objRootDSE,strQuery, adoRecordset
Dim count_unlockedUsers

count_unlockedUsers = 0

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

' varBaseDN is the OU DN for AD Serach Scope, you can give your own OU's Distinguished Name here.

varBaseDN = "<LDAP://OU=FTP,DC=work2008,DC=Local>"

' Filter to list locked out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

  Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 

  If objUser.IsAccountLocked <> 0 Then
     objUser.IsAccountLocked = 0
     objUser.SetInfo
   count_unlockedUsers =count_unlockedUsers +1
 ' Just uncomment the below line if you want to see the user name who are getting unlocked
 ' and Run script from Command prompt: C:\> CScript C:\Scripts\UnLockADUsersFromOU.vbs
    ' WScript.Echo "The user '"& adoRecordset.Fields("samaccountname").value &"' Unlocked."
   End if

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

IF count_unlockedUsers = 0 Then
    WScript.Echo "No Locked Out AD User Accounts found."
Else
   WScript.Echo "Active Directory User Account(s) Unlocked successfully"& vbCrLf  _ 
   & "No Of Users: "&count_unlockedUsers
End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

Advertisements
Advertisements

11 comments:

  1. Thanks for sharing nice post, it describes how to unlock active directory user account .I found good information from http://www.selfservicepasswordreset.org which enables to unlock accounts from any remote computer and provides option to end users to perform update of their accounts without any help.

    ReplyDelete
  2. Hi thanks a lot for this post, may i know if you have script on how to unlock for specific user account so we dont have to enter user account?

    ReplyDelete
    Replies
    1. You can just remove this code block:

      ' Asks username from user to Unlock.
      Do
      strUserName= InputBox ("Please enter user name")
      If strUserName= "" then
      Wscript.Echo "No user name entered"
      end if
      Loop Until strUserName <> ""

      and set your user account like this:

      strUserName= "[user-name]"

      Delete
  3. Hi Morgan, great work you have done ! Can you also add more than 1x username in strUserName= "[user-name]" ?

    ReplyDelete
  4. Dear Team,

    i am trying to run 2nd Script (UnLockAllADUsers.vbs).

    But getting below error.

    E:\Scripts\VB\Unlock_AD_Account>CScript UnLockAllADUsers.vbs
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    E:\Scripts\VB\Unlock_AD_Account\UnLockAllADUsers.vbs(51, 1) (null): 0x80005000

    Script to 51 Line is given below.

    Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value)

    Could you please guide me.

    ReplyDelete
    Replies
    1. Hi mohan, sorry for late reply.. did u run the file with the help of the command CScript?. Ex:run script from Command prompt: C:\> CScript C:\Scripts\UnLockAllADUsers.vbs

      Delete
  5. Hi Morgan,

    Yes same i have tried, however it shows below error, My OS is Windows-7 (64-Bit).

    C:\>CScript C:\Scripts\UnLockAllADUsers.vbs
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    C:\Scripts\UnLockAllADUsers.vbs(51, 1) (null): 0x80005000

    ReplyDelete
  6. Hi Morgan,

    Same i have tried, but it shows same error only. My i am trying from my Windows - 7 64-bit Operating system.

    ReplyDelete
    Replies
    1. Hi Mohan, for me it is working.... the downloaded script file also is working fine .if it possible can you test the script in Domain Controller instead of client machine.?

      Delete
  7. Hi Morgan,

    Thank u so much. Its working fine.

    ReplyDelete