Recipe 16.4. Unlocking a UserProblemYou want to unlock a locked-out user. SolutionUsing a graphical user interface
Using a command-line interfaceJoe Richards has written a tool called unlock that lets you find locked out users and unlock them in one shot. The following command displays all locked out accounts on the default domain controller: > unlock . * -view The following command unlocks the user rallen on dc01: > unlock dc01 rallen This command unlocks all locked users on the default domain controller: > unlock . * You can download unlock from http://www.joeware.net/win/free/tools/unlock.htm. Using VBScript' This code unlocks a locked user. ' ------ SCRIPT CONFIGURATION ------ strUsername = "<UserName>" ' e.g., jsmith strDomain = "<NetBiosDomainName>" ' e.g., RALLENCORP ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername) if objUser.IsAccountLocked = TRUE then objUser.IsAccountLocked = FALSE objUser.SetInfo WScript.Echo "Account unlocked" else WScript.Echo "Account not locked" end if DiscussionIf you've enabled account lockouts in a domain (see Recipe 16.7), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is either because a user mistypes his password a number of times (because he forgot it) or a user changes his password and does not log off and log on again. You can use ADSI's IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. Unfortunately, there is a bug with the LDAP provider version of this method, so you have to use the WinNT provider instead. See MS KB 250873 for more information on this bug. See AlsoRecipe 16.7, MS KB 250873 (Programmatically Changing the Lockout Flag in Windows 2000), and MSDN: Account Lockout |