One of the nice improvements of AD cmdlets 1.0.4 is the way you can enable, disable, and unlock AD user accounts with simple one-liners.
Here are a few oneliners demonstrating the new functionality:
#Get all disabled accounts
Get-QADUser -Disabled
#Get all locked accounts in the accounting department
Get-QADUser -Locked -Department Accounting
#Enable all the disabled accounts
Get-QADUser -Disabled | Enable-QADUser
#Unlock a specific user account
Unlock-QADUser DSotnikov
We kind of had a way of enabling the accounts before and Richard found a way to list locked out accounts quite some time ago but with 1.0.4 everything has become so much easier.
Dmitry
Tags: oneliner, AD cmdlets, cmdlets, one-liner, PowerShell, AD, Active Directory, Examples
Very useful Dmitry!
Personally, I’ve never liked the name one-liner. I’ve always preferred the term power-line. I think it conveys better context, and it sounds pretty cool 😉
Cheers
Adam
Well, I guess Jeffrey is to blame for making everyone use the “one-liner” term. 😉
Power-line does sound cool, although sometimes I get a bit tired of power- being used for everything PowerShell-related: PowerShell, PowerGUI, powerpacks for PowerGUI snapins, etc. Almost like too much power in there. 😉
Actually that’s a fair point. I guess, I like it for the same reason that it’s being over used lately, and that is that the power prefix gives it instant context.
Dilemma though. 😉
Hi Dmitry,
What is the equivalent command that people can use in Windows server 2003 command line environment to do what you showed us in power shell like:
Unlock-QADUser DSotnikov?
The question is if people do not have powershell, what is the command line to unlock a user account?
I obviously recommend to install and use PowerShell but there are indeed a few alternatives:
VBScript: http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx
3rd-party utility from Joeware:
http://www.joeware.net/freetools/tools/unlock/index.htm
Hi Dmitry,
How can I find out if an individual user is disabled with the ADCmdLets?
get-qaduser “username” -disabled
just returns the user object even if it’s active. I would expect it to only return the object if the user was in fact disabled.
Thanks,
Jonathan
Jonathan,
If you want to find out if an individual user is disabled, you need to create the object first using get-qaduser and then return the Boolean property AccountIsDisabled.
For example:
$user = get-qaduser ‘username’
$user.AccountIsDisabled
You can find out what properties and methods your object has by doing $user | Get-Member
Tab completion is also handy after typing $user.
Also, you need to make sure the username you are querying is unique. Otherwise $user will end up an array. I find its better to use the samid (accountname) as thats always unique in the domain.
Jonathan,
By username do you mean sAMAccountName?
I have just tried this in my network and everything worked as expected (user was not found):
PS C:\> Get-QADUser dsotnikov -Disabled
Get-QADUser : Cannot resolve DN for the given identity: ‘dsotnikov’
At line:1 char:12
+ Get-QADUser <<< Get-QADUser dsotnikov
Name Type DN
—- —- —
Dmitry Sotnikov user CN=Dmitry Sotnikov,OU=*****,DC=****,DC=quest,DC=****
Is there a way to separate the truly locked accounts (five bad logins) from the password expired accounts? When I run
get-QADUser -locked
it returns a list of both.
Tim,
You can read the PasswordExpires property of the user object and filter out the ones which have passwordexpires set to an earlier date with Where.
Dmitry
HI, PLZ tell me how i can enable of disable user account using CSVDE scriping file.
Lewis,
You mean get a CSV file with usernames and enable or disable everyone in the file?
If the file is just a text file with one username per line, you can do something like:
foreach ( $username in (get-content ‘c:\users.txt’)) {
Enable-QADUser $username
}
This seems to filter out expired passwords:
Get-QADUser -Locked | where{$_.PasswordExpires -gt (get-date)}
Am I the only one who doesn’t see an actual post? I just see comments referencing a post, and nothing else.
My bet is that it is Ad Block or similar browser add-on which you are using being incompatible with wordpress – try to either add this site to the exception list or tweak AdBlock to only block whatever ads wordpress is inserting but not the content.
Dmitry
isnt the get-qaduser a quest module not a powershell module ?
Yes, Get-QADUser is part of Quest’s free AD cmdlets module – which you can download from http://www.quest.com/powershell/activeroles-server.aspx
Back in 2007 when this blog post was written this was the only feasible way to do powershell against AD. Now obviously Microsoft’s module also exists, but a lot of people still prefer the Quest’s one for its greater usability and richness…
Dmitry, I have been an avid reader of yours for years, I have used many of the things you have written about, thank you. I have not, however had a reason to ask you anything until now. I need to unlock accounts via an automated powershell script, but for local users, not AD accounts.
Can you help get me started on that?
John, see if this helps: http://powergui.org/thread.jspa?messageID=49552