ProblemYou want to unlock a locked-out user. SolutionUsing a graphical user interfaceFor a local account, do the following:
For a domain account, do the following:
Using downloadable softwareJoe Richards has written a tool called unlock that lets you find locked out users in a domain and unlock them in one shot. The following command displays all locked out accounts on the default domain controller: > unlock . * -view The following command unlocks the user rallen on dc01: > unlock dc01 rallen This command unlocks all locked users on the default domain controller: > unlock . * You can download unlock from http://www.joeware.net/win/free/tools/unlock.htm. You can unlock also local user accounts with the cusrmgr tool in the Windows 2000 Resource Kit. Here is an example: > cusrmgr -S AccountLockout -u rallen Using VBScript' This code unlocks a locked user. ' ------ SCRIPT CONFIGURATION ------ strUsername = "<UserName>" ' e.g. jsmith strDomain = "<DomainOrComputerName>" ' e.g. RALLENCORP or rallen-winxp ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername) if objUser.IsAccountLocked = TRUE then objUser.IsAccountLocked = FALSE objUser.SetInfo WScript.Echo "Account unlocked" else WScript.Echo "Account not locked" end if DiscussionIf you've enabled account lockouts in a domain (see Recipe 15.4), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because he mistypes his password a number of times (because he forgot it) or changes his password and does not log off and log on again. Using VBScriptYou can use ADSI's IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. Unfortunately there is a bug with the LDAP provider version of this method, so you have to use the WinNT provider instead even when unlocking Active Directory accounts. See MS KB 250873 for more information on this bug. See AlsoRecipe 15.4 for viewing the account lockout policy, MS KB 250873 (Programmatically Changing the Lockout Flag in Windows 2000), and MSDN: Account Lockout |