How to Unlock, Enable, and Disable AD Accounts with PowerShell

Unlock Active Directory Accounts

To prevent brute-force login attempts, Active Directory (AD) account lockout policy determines the number of incorrect logins before accounts get locked. But account lockout often happens accidently or because of malicious behaviour, so IT helpdesk staff are regularly tasked with unlocking user accounts. But there are also other reasons why accounts might get locked out. Mobile email clients, scripts, and scheduled tasks attempting to log in with an outdated password can also be a cause.

Fortunately, unlocking AD accounts with PowerShell is easy using the Unlock-ADAccount cmdlet. Before you can use it, you need to have the Active Directory module for PowerShell installed on your device and permission in Active Directory to unlock user accounts. The command below unlocks David Smith’s account. DavidSmith is the SAM account name.

Unlock-ADAccount -Identity DavidSmith

You can also unlock accounts using their distinguished name (DN):

Unlock-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"

If you have aggregated security logs from your domain controllers, you can use PowerShell to search them to establish why an account is being locked out. The command below searches the logs for lockout events on David’s account.

Get-EventLog -LogName Security | ?{$_.message -like "*locked*DavidSmith*"} | Format-List -property *

Disable Active Directory Account

Accounts in Active Directory can be disabled, for instance in situations where they are not going to be used for a long time it is best to keep them disabled for security reasons. A disabled account can not be used to log in to a domain, regardless of whether the user knows the account password. The following command uses the Disable-ADAccount cmdlet to disable David’s account.

Disable-ADAccount -Identity DavidSmith

And just like the Unlock-ADAccount cmdlet, you can also disable accounts using their distinguished name:

Disable-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"

Or by passing an object to Disable-ADAccount, you could disable all accounts in an Organizational Unit (OU). The command below disables all accounts in the Accounts OU, not just David’s, by producing a list of accounts with the Get-ADUser cmdlet:

Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Accounts,DC=ad,DC=contoso,DC=com"| Disable-ADAccount

If you would like to disable a computer account instead of a user account, all you need to do is append a dollar sign to the end of the account name to designate that it’s a machine account. The account below disables the computer1 account.

Disable-ADAccount -Identity computer1$

Enable Active Directory Account

Enabling AD accounts is just as easy using the Enable-ADAccount cmdlet.

Enable-ADAccount -Identity DavidSmith

And again, like the Disable-ADAccount cmdlet, you can also enable accounts using their distinguished name:

Enable-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"

To enable a computer account, add a dollar sign to the end of the computer account name. The command below enables the machine account ‘computer1’.

Enable-ADAccount -Identity computer1$

How Lepide Helps

If you want an easier way to unlock accounts, disable inactive accounts and audit changes in Active Directory, why not try our sophisticated Active Directory Auditing solution, Lepide Active Directory Auditor (part of Lepide Data Security Platform)? It also provides you with a list of locked accounts for you to investigate and unlock as necessary.