unlock user accounts en masse

Discussion in 'Scripting' started by Sam B., May 25, 2005.

  1. Sam B.

    Sam B. Guest

    I've seen the syntax on unlocking a user account, but is there a way to
    enumerate the list of users in a given container/OU and then incrementally
    unlock the accounts? I've done some digging around and haven't found pieces
    that I could get to work together.

    If it's not possible, I'd like to know that, too.
    Sam B., May 25, 2005
    1. Advertisements

  2. Hi,

    Determining if an account is locked out with the LDAP provider is not
    simple. I have a sample program to find out if a given user is locked out,
    and then allow the user to unlock the account linked here:


    To check all users in a container/OU, it is actually easier to use the WinNT
    provider. For example, here is a sample program to document all accounts
    that are locked out:


    The relevant code is:

    ' Find locked out user accounts in domain.
    Set objDomain = GetObject("WinNT://" & strNetBIOSDomain)
    objDomain.Filter = Array("user")
    For Each objWinNTUser In objDomain
    If objWinNTUser.IsAccountLocked = True Then
    ' Do something.
    End If

    This could be modified to unlock the accounts. However, because WinNT is
    blind to any AD hierarchy, it cannot recognize OU's. I would suggest for
    each user found to be locked out to use the NameTranslate object to convert
    the NT name (sAMAccountName, which is objWinNTUser.Name above) to the
    distinguishedName, and from that determine the parent object (container or

    The NameTranslate object is documented here:


    Note, the IsAccountLocked method exposed by the LDAP provider does not work.
    You might want to use a program that lists all locked out users, then code
    another program to read the list and unlock the accounts. This gives you the
    opportunity to review the list. I hope this helps.
    Richard Mueller [MVP], May 25, 2005
    1. Advertisements

  3. Well, this is not really scripting, but it is what I use to work with a lot
    of accounts at once.

    On the Domain controler open the comand promt and run a dsquery on the OU
    that you want to modify then pip that output to a dsmod comand to activate
    those users.

    For example
    dsquery user "ou=Technology Staff,dc=mydomain,dc=com" | dsmod user -disabled

    this would activate all the users in the Technology Staff OU.

    I hope that helps
    Randy stuartsdesigns com>, May 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.