VBScript to Unlock AD User Account

Description

In this article, I am going write vbscript code to Unlcok active directory user account by asking account name from user and vbscript code to Unlock all the currently Locked Out AD users in Entire Domain and Specific OU.

Summary

VBScript to Unlock AD User Account

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: UnlockADUser.vbs
3. Double-click the vbscript file (or Run this file from command window) to unlock active directory user.
4. Enter the user name to Unlock and click OK to proceed.

Unlock Currently Locked out Active Directory Users using VBScript

 Click to get vbscript source code as file Download UnlockADUser.vbs

' UnlockADUser.vbs
' Sample VBScript to Unlock Active Directory user .
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim strUserName,objUser

' Asks username from user to Unlock.
Do
   strUserName= InputBox ("Please enter user name")
   If strUserName= "" then
     Wscript.Echo "No user name entered"
   end if
Loop Until strUserName <> ""

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' Filter on user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(|(samaccountname="& strUserName &")(name="& strUserName &")))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

IF(adoRecordset.EOF<>True) Then
      Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 
   If objUser.IsAccountLocked = 0 Then
      Wscript.Echo "The User '" & strUserName & "' was already Unlocked."
   Else
    objUser.IsAccountLocked = 0
    objUser.SetInfo
     WScript.Echo "The user '"& strUserName &"' has been Unlocked successfully."
   End if

Else 
      WScript.Echo "No user found with the name '"& strUserName &"'"
 End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

VBScript to Unlock all the Locked Out User Accounts in Active Directory

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: UnLockAllADUsers.vbs
3. Double-click the VBScript file (or Run this file from command window) to Unlock all the Locked Out AD users.


Note: Just uncomment the below line in vbscript file if you want to see the user name who are getting unlocked
‘ WScript.Echo “The user ‘”& adoRecordset.Fields(“samaccountname”).value &”‘ Unlocked.”
and Run script from Command prompt: C:> CScript C:ScriptsUnLockAllADUsers.vbs

VBScript Unlock Currently Locked out AD User Accounts in VBScript

 Click to get vbscript source code as a file Download UnLockAllADUsers.vbs

' UnLockAllADUsers.vbs
' Sample VBScript to Find and Unlock all the Currently Locked Out AD users.
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit

' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes,objUser
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim count_unlockedUsers

count_unlockedUsers = 0

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 

' Filter to list locked out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

  Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 

  If objUser.IsAccountLocked <> 0 Then
     objUser.IsAccountLocked = 0
     objUser.SetInfo
   count_unlockedUsers =count_unlockedUsers +1
 ' Just uncomment the below line if you want to see the user name who are getting unlocked
 ' and Run script from Command prompt: C:> CScript C:ScriptsUnLockAllADUsers.vbs
    ' WScript.Echo "The user '"& adoRecordset.Fields("samaccountname").value &"' Unlocked."
   End if

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

IF count_unlockedUsers = 0 Then
    WScript.Echo "No Locked Out AD User Accounts found."
Else
   WScript.Echo "Active Directory User Account(s) Unlocked successfully"& vbCrLf  _ 
   & "No Of Users: "&count_unlockedUsers
End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

VBScript to Unlock AD User Account From Specific 

1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Change the value for ‘varBaseDN’ into your own OU’s DN .
3. Save the file with a .vbs extension, for example: UnLockADUsersFromOU.vbs
4. Double-click the vbscript file (or Run this file from command window) to unlock locked out AD users From Specific OU.

 Click to get vbscript source code as a file Download UnLockADUsersFromOU.vbs

' UnLockADUsersFromOU.vbs
' Sample VBScript to Find and Unlock all the Locked Out AD users From specific OU.
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 

Option Explicit

' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes,objUser
Dim objRootDSE,strQuery, adoRecordset
Dim count_unlockedUsers

count_unlockedUsers = 0

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

' varBaseDN is the OU DN for AD Serach Scope, you can give your own OU's Distinguished Name here.

varBaseDN = "<LDAP://OU=FTP,DC=work2008,DC=Local>"

' Filter to list locked out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

  Set objUser = GetObject("LDAP://"& adoRecordset.Fields("distinguishedname").value) 

  If objUser.IsAccountLocked <> 0 Then
     objUser.IsAccountLocked = 0
     objUser.SetInfo
   count_unlockedUsers =count_unlockedUsers +1
 ' Just uncomment the below line if you want to see the user name who are getting unlocked
 ' and Run script from Command prompt: C:> CScript C:ScriptsUnLockADUsersFromOU.vbs
    ' WScript.Echo "The user '"& adoRecordset.Fields("samaccountname").value &"' Unlocked."
   End if

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

IF count_unlockedUsers = 0 Then
    WScript.Echo "No Locked Out AD User Accounts found."
Else
   WScript.Echo "Active Directory User Account(s) Unlocked successfully"& vbCrLf  _ 
   & "No Of Users: "&count_unlockedUsers
End if

' close ado connections.
adoRecordset.Close
adoConnection.Close

Advertisement

12 thoughts on “VBScript to Unlock AD User Account”

Leave a Comment