One of the nice improvements of AD cmdlets 1.0.4 is the way you can enable, disable, and unlock AD user accounts with simple one-liners.
Here are a few oneliners demonstrating the new functionality:
#Get all disabled accounts
Get-QADUser -Disabled
#Get all locked accounts in the accounting department
Get-QADUser -Locked -Department Accounting
#Enable all the disabled accounts
Get-QADUser -Disabled | Enable-QADUser
#Unlock a specific user account
Unlock-QADUser DSotnikov
We kind of had a way of enabling the accounts before and Richard found a way to list locked out accounts quite some time ago but with 1.0.4 everything has become so much easier.
Dmitry
Tags: oneliner, AD cmdlets, cmdlets, one-liner, PowerShell, AD, Active Directory, Examples
Subscribe by email
Very useful Dmitry!
Personally, I’ve never liked the name one-liner. I’ve always preferred the term power-line. I think it conveys better context, and it sounds pretty cool
Cheers
Adam
Well, I guess Jeffrey is to blame for making everyone use the “one-liner” term.
Power-line does sound cool, although sometimes I get a bit tired of power- being used for everything PowerShell-related: PowerShell, PowerGUI, powerpacks for PowerGUI snapins, etc. Almost like too much power in there.
Actually that’s a fair point. I guess, I like it for the same reason that it’s being over used lately, and that is that the power prefix gives it instant context.
Dilemma though.
Hi Dmitry,
What is the equivalent command that people can use in Windows server 2003 command line environment to do what you showed us in power shell like:
Unlock-QADUser DSotnikov?
The question is if people do not have powershell, what is the command line to unlock a user account?
I obviously recommend to install and use PowerShell but there are indeed a few alternatives:
VBScript: http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx
3rd-party utility from Joeware:
http://www.joeware.net/freetools/tools/unlock/index.htm
Hi Dmitry,
How can I find out if an individual user is disabled with the ADCmdLets?
get-qaduser “username” -disabled
just returns the user object even if it’s active. I would expect it to only return the object if the user was in fact disabled.
Thanks,
Jonathan
Jonathan,
By username do you mean sAMAccountName?
I have just tried this in my network and everything worked as expected (user was not found):
PS C:\> Get-QADUser dsotnikov -Disabled
Get-QADUser : Cannot resolve DN for the given identity: ‘dsotnikov’
At line:1 char:12
+ Get-QADUser <<< Get-QADUser dsotnikov
Name Type DN
—- —- –
Dmitry Sotnikov user CN=Dmitry Sotnikov,OU=*****,DC=****,DC=quest,DC=****
Is there a way to separate the truly locked accounts (five bad logins) from the password expired accounts? When I run
get-QADUser -locked
it returns a list of both.
Tim,
You can read the PasswordExpires property of the user object and filter out the ones which have passwordexpires set to an earlier date with Where.
Dmitry
HI, PLZ tell me how i can enable of disable user account using CSVDE scriping file.
Lewis,
You mean get a CSV file with usernames and enable or disable everyone in the file?
If the file is just a text file with one username per line, you can do something like:
foreach ( $username in (get-content ‘c:\users.txt’)) {
Enable-QADUser $username
}