Enable, Disable, Unlock User Accounts

One of the nice improvements of AD cmdlets 1.0.4 is the way you can enable, disable, and unlock AD user accounts with simple one-liners.

Here are a few oneliners demonstrating the new functionality:

#Get all disabled accounts
Get-QADUser -Disabled

#Get all locked accounts in the accounting department
Get-QADUser -Locked -Department Accounting

#Enable all the disabled accounts
Get-QADUser -Disabled | Enable-QADUser

#Unlock a specific user account
Unlock-QADUser DSotnikov

We kind of had a way of enabling the accounts before and Richard found a way to list locked out accounts quite some time ago but with 1.0.4 everything has become so much easier.


Tags: , , , , , , ,


20 Responses to “Enable, Disable, Unlock User Accounts”

  1. 1 Adam Bell August 14, 2007 at 8:07 am

    Very useful Dmitry!

    Personally, I’ve never liked the name one-liner. I’ve always preferred the term power-line. I think it conveys better context, and it sounds pretty cool 😉



  2. 2 dmitrysotnikov August 15, 2007 at 4:12 pm

    Well, I guess Jeffrey is to blame for making everyone use the “one-liner” term. 😉

    Power-line does sound cool, although sometimes I get a bit tired of power- being used for everything PowerShell-related: PowerShell, PowerGUI, powerpacks for PowerGUI snapins, etc. Almost like too much power in there. 😉

  3. 3 Adam Bell August 20, 2007 at 11:39 am

    Actually that’s a fair point. I guess, I like it for the same reason that it’s being over used lately, and that is that the power prefix gives it instant context.

    Dilemma though. 😉

  4. 4 Powershell reader January 16, 2008 at 4:43 am

    Hi Dmitry,

    What is the equivalent command that people can use in Windows server 2003 command line environment to do what you showed us in power shell like:
    Unlock-QADUser DSotnikov?
    The question is if people do not have powershell, what is the command line to unlock a user account?

  5. 5 dmitrysotnikov January 16, 2008 at 12:05 pm

    I obviously recommend to install and use PowerShell but there are indeed a few alternatives:

    VBScript: http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx

    3rd-party utility from Joeware:

  6. 6 Jonathan Walz March 21, 2008 at 5:45 pm

    Hi Dmitry,

    How can I find out if an individual user is disabled with the ADCmdLets?

    get-qaduser “username” -disabled

    just returns the user object even if it’s active. I would expect it to only return the object if the user was in fact disabled.


    • 7 Gavin Bloodworth April 30, 2010 at 2:50 am


      If you want to find out if an individual user is disabled, you need to create the object first using get-qaduser and then return the Boolean property AccountIsDisabled.

      For example:

      $user = get-qaduser ‘username’


      You can find out what properties and methods your object has by doing $user | Get-Member
      Tab completion is also handy after typing $user.

      Also, you need to make sure the username you are querying is unique. Otherwise $user will end up an array. I find its better to use the samid (accountname) as thats always unique in the domain.

  7. 8 dmitrysotnikov March 25, 2008 at 11:37 am


    By username do you mean sAMAccountName?

    I have just tried this in my network and everything worked as expected (user was not found):

    PS C:\> Get-QADUser dsotnikov -Disabled
    Get-QADUser : Cannot resolve DN for the given identity: ‘dsotnikov’
    At line:1 char:12
    + Get-QADUser <<< Get-QADUser dsotnikov

    Name Type DN
    —- —- —
    Dmitry Sotnikov user CN=Dmitry Sotnikov,OU=*****,DC=****,DC=quest,DC=****

  8. 9 Tim Corey May 2, 2008 at 12:20 pm

    Is there a way to separate the truly locked accounts (five bad logins) from the password expired accounts? When I run

    get-QADUser -locked

    it returns a list of both.

  9. 10 dmitrysotnikov May 2, 2008 at 12:38 pm


    You can read the PasswordExpires property of the user object and filter out the ones which have passwordexpires set to an earlier date with Where.


  10. 11 lewis September 22, 2008 at 6:15 pm

    HI, PLZ tell me how i can enable of disable user account using CSVDE scriping file.

  11. 12 Dmitry Sotnikov September 22, 2008 at 6:20 pm


    You mean get a CSV file with usernames and enable or disable everyone in the file?

    If the file is just a text file with one username per line, you can do something like:

    foreach ( $username in (get-content ‘c:\users.txt’)) {
    Enable-QADUser $username

  12. 13 whats4lunch March 23, 2010 at 2:02 pm

    This seems to filter out expired passwords:

    Get-QADUser -Locked | where{$_.PasswordExpires -gt (get-date)}

  13. 14 The Dan May 31, 2011 at 12:36 pm

    Am I the only one who doesn’t see an actual post? I just see comments referencing a post, and nothing else.

    • 15 Dmitry Sotnikov May 31, 2011 at 4:01 pm

      My bet is that it is Ad Block or similar browser add-on which you are using being incompatible with wordpress – try to either add this site to the exception list or tweak AdBlock to only block whatever ads wordpress is inserting but not the content.


  14. 16 Anonymous September 12, 2011 at 6:21 am

    isnt the get-qaduser a quest module not a powershell module ?

  15. 18 John August 28, 2013 at 5:12 pm

    Dmitry, I have been an avid reader of yours for years, I have used many of the things you have written about, thank you. I have not, however had a reason to ask you anything until now. I need to unlock accounts via an automated powershell script, but for local users, not AD accounts.
    Can you help get me started on that?

  1. 1 AD accounts « Obtained's Blog Trackback on December 7, 2010 at 10:38 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2007
« Jul   Sep »

%d bloggers like this: