Search-ADAccount –LockedOut 查询
Search-ADAccount -LockedOut | Unlock-ADAccount 批量解锁
When using the Microsoft Active Directory cmdlets, locating locked-out users is a snap. In fact, the Search-ADAccount cmdlet even has a lockedout switch.
The first thing to do is to import the ActiveDirectory module by using the Import-Module cmdlet. This command is shown here:
Once the module is imported, use the Search-ADAccount cmdlet with the lockedout parameter. This command is shown here:
Note Many network administrators who spend the majority of their time working with AD DS import the ActiveDirectory module via their Windows PowerShell profile. In this way, they never need to worry about first importing the module. I have an entire series of posts about working with profiles that discusses how to create a profile, and what sort of things to add to it.
The Search-ADAccount command and the associated output are shown in the following figure.
I can unlock the locked-out user account as well, assuming I have permission. In the following figure, I attempt to unlock the user account with an account that is a normal user. And an error arises.
Note People are often worried about Windows PowerShell from a security perspective. Windows PowerShell is only an application, and a user is not able to do anything that they do not have rights or permission to accomplish. This is a case in point.
ecause the myuser account does not have administrator rights, I need to start Windows PowerShell with an account that has the ability to unlock a user account. To do this, I right-click the Windows PowerShell icon while pressing Shift. This allows me to click Run as different user in the shortcut menu. This produces the dialog box shown in the following figure.
After I start Windows PowerShell again with an account that has rights to unlock users, I need to import the ActiveDirectory module once again. I then check to ensure that I can still locate the locked-out user accounts. After I have proven to myself I can do that, I pipe the results of the Search-ADAccount cmdlet to Unlock-ADAccount. A quick check ensures I have unlocked all the locked-out accounts. The series of commands is shown here:
Search-ADAccount -LockedOut | Unlock-ADAccount
The commands and associated output are shown in the following figure.
Note Keep in mind that the command Search-ADAccount -LockedOut | Unlock-ADAccount will unlock every account that you have permission to unlock. In most cases, you will want to investigate before unlocking all locked-out accounts. If you do not want to unlock all locked-out accounts, use the confirm switch to be prompted before unlocking an account.
If I do not want to unlock all users, I user the confirm parameter from the Unlock-ADAccount cmdlet. As an example, I first check to see which users are locked out by using the Search-ADAccount cmdlet, but I do not want to see everything, only their names. Next, I pipe the locked-out users to the Unlock-ADAccount cmdlet with the confirm parameter. I am then prompted for each of the three locked-out users. I choose to unlock the first and third users, but not the second user. I then use the Search-ADAccount cmdlet one last time to ensure that the second user is still locked out. The following figure illustrates this technique.
CJ, that is all there is to finding and unlocking users in Active Directory by using the Microsoft ActiveDirectory module. I invite you back tomorrow when I will make a historic announcement. It is good, so check back. You will be glad you did.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy