.png)
Authored by: Support.com Tech Pro Team
How to Unlock, Enable, and Disable AD Accounts with PowerShell
Please select the appropriate option
To prevent brute-force login attempts, Active Directory (AD) account lockout policy determines the number of incorrect logins before accounts get locked. But account lockout often happens accidently or because of malicious behaviour, so IT helpdesk staff are regularly tasked with unlocking user accounts. But there are also other reasons why accounts might get locked out. Mobile email clients, scripts, and scheduled tasks attempting to log in with an outdated password can also be a cause.
Fortunately, unlocking AD accounts with PowerShell is easy using the Unlock-ADAccount cmdlet. Before you can use it, you need to have the Active Directory module for PowerShell installed on your device and permission in Active Directory to unlock user accounts. The command below unlocks David Smith’s account. DavidSmith is the SAM account name.
Unlock-ADAccount -Identity DavidSmith
You can also unlock accounts using their distinguished name (DN):
Unlock-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"
If you have aggregated security logs from your domain controllers, you can use PowerShell to search them to establish why an account is being locked out. The command below searches the logs for lockout events on David’s account.
Get-EventLog -LogName Security | ?{$_.message -like "*locked*DavidSmith*"} | Format-List -property *
Accounts in Active Directory can be disabled, for instance in situations where they are not going to be used for a long time it is best to keep them disabled for security reasons. A disabled account can not be used to log in to a domain, regardless of whether the user knows the account password. The following command uses the Disable-ADAccount cmdlet to disable David’s account.
Disable-ADAccount -Identity DavidSmith
And just like the Unlock-ADAccount cmdlet, you can also disable accounts using their distinguished name:
Disable-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"
Or by passing an object to Disable-ADAccount, you could disable all accounts in an Organizational Unit (OU). The command below disables all accounts in the Accounts OU, not just David’s, by producing a list of accounts with the Get-ADUser cmdlet:
Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Accounts,DC=ad,DC=contoso,DC=com"| Disable-ADAccount
If you would like to disable a computer account instead of a user account, all you need to do is append a dollar sign to the end of the account name to designate that it’s a machine account. The account below disables the computer1 account.
Disable-ADAccount -Identity computer1$
Enabling AD accounts is just as easy using the Enable-ADAccount cmdlet.
Enable-ADAccount -Identity DavidSmith
And again, like the Disable-ADAccount cmdlet, you can also enable accounts using their distinguished name:
Enable-ADAccount -Identity "CN=David Smith,OU=Accounts,DC=ad,DC=contoso,DC=com"
To enable a computer account, add a dollar sign to the end of the computer account name. The command below enables the machine account ‘computer1’.
Enable-ADAccount -Identity computer1$
Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.
Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information
