Unlock AD account across multiple domain controllers quickly.

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
At work once an AD account gets locked we have to unlock them individually across about 6 Domain Controllers. This means selecting File > Change Domain Controller each time to select each individual DC and unlock the account there. Holy Jupiter!!! somebody please tell me there's a faster way to do this.

btw, if you open the AD account properties and just place checkmark on "unlock account" it only unlocks the account on the already selected DC.

I'm still hunting around the web for a faster way to do this but please guys if you have any knowledge on that answer feel free to jump in the discussion.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • linuxabuserlinuxabuser Member Posts: 97 ■■□□□□□□□□
    Enable AD Urgent Replication.
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Enable AD Urgent Replication.

    wow, I was thinking about something from the help desk agent level. Urgent Replication seems like it has to be done by the Sr. Systems Engineer.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    I think a ps1 like this should work, can't test right now. Need to set the domains and change the user.

    $name = "user"

    Unlock-ADAccount -Identity "$name, DC=domain1,DC=COM"
    Unlock-ADAccount -Identity "$name, DC=domain2,DC=COM"
    Unlock-ADAccount -Identity "$name, DC=domain3,DC=COM"
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    egrizzly wrote: »
    At work once an AD account gets locked we have to unlock them individually across about 6 Domain Controllers. This means selecting File > Change Domain Controller each time to select each individual DC and unlock the account there. Holy Jupiter!!! somebody please tell me there's a faster way to do this.

    btw, if you open the AD account properties and just place checkmark on "unlock account" it only unlocks the account on the already selected DC.

    I'm still hunting around the web for a faster way to do this but please guys if you have any knowledge on that answer feel free to jump in the discussion.

    You hunting the web when the only place you need to go is the Microsoft site.Have you tried the Account Lockout tool Microsoft has? Link below.
    It is an executable file that you just run from your desktop, enter the domain information once and the the tool will find all the domain controllers available on your network. This way, when a user gets locked out, all you have to do is enter the username on the tool and it will find all the domain controllers the account is locked out on. You can enable the account on the primary domain first and then just click unlock on all the rest. Basically a 5 second job. Below is a picture of how the tool looks like
    02_LockOutStatus_Results.png
    https://www.microsoft.com/en-us/download/details.aspx?id=15201
Sign In or Register to comment.