Weblog.BassQ.nl

When an administrator wants to disable a user account he or she has quite a few options. One method is do disable or enable the account via a specific script, a DSMOD USER command (in Windows Server 2003) or through the built-in Active Directory Users and Computers snap-in (also known as DSA.MSC). One more task regularly performed by administrators might be to unlock user accounts after they have forgotten their passwords and were locked out by the system. Enabling user accounts is different from unlocking these accounts, because the action needed to disable the account is performed by the administrator, whereas the action needed to lockout the account is done by the users themselves, and unless caused by a security penetration or hack attempt, usually indicates that the user has attempted to logon to the system with a bad password, more times than specified in the Account Lockout Threshold parameter in the GPO of the system.

To disable a user account you can just right-click on the required account and simply select Disable Account.

If the account was already disabled, then an option to enable it appears when you right-click that user account in DSA.MSC.

However, if that administrator wanted to just unlock the user account, not enable it, then he or she would need to select the user account in DSA.MSC, right-click it and choose Properties, then go to the Account tab, and un-check the Account is Locked Out option. This process is considerably longer than the one required when enabling a disabled account.

To make the life of the administrator easier (thus leaving him or her more time to play online games) we can add a small addition to the Active Directory configuration partition, and then have the ability to unlock a user account by simply right-clicking on that account (as you would do when enabling or disabling it).

Writing the script(s)

First we need to write one or two small VBS scripts (I thank Iftach for the insight). The first script will be used as a context menu option on any user account object, and the second script will do a scan on any given OU (Organizational Unit) in the AD and if it finds any locked-out user accounts – it will enable them.

I guess both scripts (especially the second one) could be done in a better way, and if any of you have a good suggestion please send it over .

Script #1:

Set wshArguments = WScript.Arguments Set objUser = GetWhen an administrator wants to disable a user account he or she has quite a few options. One method is do disable or enable the account via a specific script, a DSMOD USER command (in Windows Server 2003) or through the built-in Active Directory Users and Computers snap-in (also known as DSA.MSC). One more task regularly performed by administrators might be to unlock user accounts after they have forgotten their passwords and were locked out by the system. Enabling user accounts is different from unlocking these accounts, because the action needed to disable the account is performed by the administrator, whereas the action needed to lockout the account is done by the users themselves, and unless caused by a security penetration or hack attempt, usually indicates that the user has attempted to logon to the system with a bad password, more times than specified in the Account Lockout Threshold parameter in the GPO of the system. To disable a user account you can just right-click on the required account and simply select Disable Account. If the account was already disabled, then an option to enable it appears when you right-click that user account in DSA.MSC. However, if that administrator wanted to just unlock the user account, not enable it, then he or she would need to select the user account in DSA.MSC, right-click it and choose Properties, then go to the Account tab, and un-check the Account is Locked Out option. This process is considerably longer than the one required when enabling a disabled account. To make the life of the administrator easier (thus leaving him or her more time to play online games) we can add a small addition to the Active Directory configuration partition, and then have the ability to unlock a user account by simply right-clicking on that account (as you would do when enabling or disabling it). Writing the script(s) First we need to write one or two small VBS scripts (I thank Iftach for the insight). The first script will be used as a context menu option on any user account object, and the second script will do a scan on any given OU (Organizational Unit) in the AD and if it finds any locked-out user accounts – it will enable them. I guess both scripts (especially the second one) could be done in a better way, and if any of you have a good suggestion please send it over . Script #1: Object(wshArguments(0)) objuser.put “lockouttime”,”0″ objuser.setinfo msgbox “The user has been unlocked – ” & objuser.sAMAccountName