Recipe 6.8 Unlocking a User | Active Directory Cookbook, 3rd Edition

6.8.1 Problem

You want to unlock a locked out user.

6.8.2 Solution

6.8.2.1 Using a graphical user interface

Open the Active Directory Users and Computers snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results, right-click on the user and select Unlock.
Click OK.

6.8.2.2 Using VBScript

' This code unlocks a locked user. ' ------ SCRIPT CONFIGURATION ------ strUsername = "<UserName>"        ' e.g. jsmith strDomain = "<NetBiosDomainName>" ' e.g. RALLENCORP ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername) if objUser.IsAccountLocked = TRUE then    objUser.IsAccountLocked = FALSE    objUser.SetInfo    WScript.Echo "Account unlocked" else    WScript.Echo "Account not locked" end if

6.8.3 Discussion

If you've enabled account lockouts in a domain (see Recipe 6.11), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because a user mistypes his password a number of times, or he changes his password and does not log off and log on again, or has mapped drives.

You can use ADSI's IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. Unfortunately, there is a bug with the LDAP provider version of this method so you have to use the WinNT provider instead. See MS KB 250873 for more information on this bug.

6.8.4 See Also

Recipe 6.9 for finding locked out users, Recipe 6.11 for viewing the account lockout policy, MS KB 250873 (Programmatically Changing the Lockout Flag in Windows 2000), and MSDN: Account Lockout