Recipe 15.2. Unlocking a User


Problem

You want to unlock a locked-out user.

Solution

Using a graphical user interface

For a local account, do the following:

  1. Open the Computer Management snap-in (compmgmt.msc).

  2. In the left pane, expand Local Users and Groups and click on Users.

  3. In the right pane, double-click the account you want to unlock.

  4. If the account is locked, the box beside Account is locked out will be checked. Uncheck it and click OK.

For a domain account, do the following:

  1. Open the Active Directory Users and Computers (ADUC) snap-in (dsa.msc).

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Type the name of the user beside Name and click Find Now.

  5. In the Search Results, right-click on the user and select Unlock.

  6. Click OK.

Using downloadable software

Joe Richards has written a tool called unlock that lets you find locked out users in a domain and unlock them in one shot. The following command displays all locked out accounts on the default domain controller:

> unlock . * -view

The following command unlocks the user rallen on dc01:

> unlock dc01 rallen

This command unlocks all locked users on the default domain controller:

> unlock . *

You can download unlock from http://www.joeware.net/win/free/tools/unlock.htm.

You can unlock also local user accounts with the cusrmgr tool in the Windows 2000 Resource Kit. Here is an example:

> cusrmgr  -S AccountLockout -u rallen

Using VBScript
' This code unlocks a locked user. ' ------ SCRIPT CONFIGURATION ------ strUsername = "<UserName>"        ' e.g. jsmith strDomain = "<DomainOrComputerName>" ' e.g. RALLENCORP or rallen-winxp ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername) if objUser.IsAccountLocked = TRUE then    objUser.IsAccountLocked = FALSE    objUser.SetInfo    WScript.Echo "Account unlocked" else    WScript.Echo "Account not locked" end if

Discussion

If you've enabled account lockouts in a domain (see Recipe 15.4), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because he mistypes his password a number of times (because he forgot it) or changes his password and does not log off and log on again.

Using VBScript

You can use ADSI's IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. Unfortunately there is a bug with the LDAP provider version of this method, so you have to use the WinNT provider instead even when unlocking Active Directory accounts. See MS KB 250873 for more information on this bug.

See Also

Recipe 15.4 for viewing the account lockout policy, MS KB 250873 (Programmatically Changing the Lockout Flag in Windows 2000), and MSDN: Account Lockout



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net