Add Unlock User Option to Active Directory Users and Computers

Last Update: Sep 24, 2024 | Published: Jan 06, 2009

SHARE ARTICLE

How can I add an “unlock user account” option to the Active Directory Users and Computers context menu?


One of the daily tasks of a network administrator is to monitor user accounts, logon activities, password changes and account options, such as disabling and enabling user accounts.
When an administrator wants to disable a user account he or she has quite a few options. One method is do disable or enable the account via a specific script, a DSMOD USER command (in Windows Server 2003) or through the built-in Active Directory Users and Computers snap-in (also known as DSA.MSC). One more task regularly performed by administrators might be to unlock user accounts after they have forgotten their passwords and were locked out by the system. Enabling user accounts is different from unlocking these accounts, because the action needed to disable the account is performed by the administrator, whereas the action needed to lockout the account is done by the users themselves, and unless caused by a security penetration or hack attempt, usually indicates that the user has attempted to logon to the system with a bad password, more times than specified in the Account Lockout Threshold parameter in the GPO of the system.
To disable a user account you can just right-click on the required account and simply select Disable Account.
this image has been lost in time
If the account was already disabled, then an option to enable it appears when you right-click that user account in DSA.MSC.
this image has been lost in time
However, if that administrator wanted to just unlock the user account, not enable it, then he or she would need to select the user account in DSA.MSC, right-click it and choose Properties, then go to the Account tab, and un-check the Account is Locked Out option. This process is considerably longer than the one required when enabling a disabled account.
this image has been lost in time
To make the life of the administrator easier (thus leaving him or her more time to play online games) we can add a small addition to the Active Directory configuration partition, and then have the ability to unlock a user account by simply right-clicking on that account (as you would do when enabling or disabling it).

Writing the script(s)

First we need to write one or two small VBS scripts (I thank Iftach for the insight). The first script will be used as a context menu option on any user account object, and the second script will do a scan on any given OU (Organizational Unit) in the AD and if it finds any locked-out user accounts – it will enable them.
I guess both scripts (especially the second one) could be done in a better way, and if any of you have a good suggestion please send it over smtp.
Script #1:

Const E_ADS_PROPERTY_NOT_FOUND = -2147463155
Set wshArguments = WScript.Arguments
Set objUser = GetObject(wshArguments(0))
If IsLockedOut(objUser) Then
objUser.Put "lockouttime","0"
objUser.SetInfo
MsgBox "The user has been unlocked - " & objUser.sAMAccountName
Else
MsgBox "The user account is not locked - " & objUser.sAMAccountName
End If
Function IsLockedOut(objUser)
on Error resume next
Set objLockout = objUser.get("lockouttime")
if Err.Number = E_ADS_PROPERTY_NOT_FOUND then
IsLockedOut = False
Exit Function
End If
On Error GoTo 0
if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
IsLockedOut = False
Else
IsLockedOut = True
End If
End Function

Save the script as UNLOCK_USER.VBS.
Script #2:

Const E_ADS_PROPERTY_NOT_FOUND = -2147463155
strSummary=""
Set wshArguments = WScript.Arguments
Set objOU = GetObject(wshArguments(0))
For Each objIADs in objOU
If LCase(objIADs.Class) = "user" Then
If IsLockedOut(objIADs) Then
objIADs.Put "lockouttime","0"
objIADs.SetInfo
strSummary=strSummary & objIADs.Get("samaccountname") & vbNewLine
End If
End If
Next
If strSummary="" Then
MsgBox "No locked users found!"
Else
MsgBox "The following users have been unlocked:" & vbNewLine _
& "-------------------------------------------------" & vbNewLine & strSummary
End If
Function IsLockedOut(objUser)
on Error resume next
Set objLockout = objUser.get("lockouttime")
if Err.Number = E_ADS_PROPERTY_NOT_FOUND then
IsLockedOut = False
Exit Function
End If
On Error GoTo 0
if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
IsLockedOut = False
Else
IsLockedOut = True
End If
End Function

Save the script as UNLOCK_USERS_IN_OU.VBS.
Place both scripts in a share on one of your DCs, preferably in the NETLOGON share, thus replicating them to all of your DCs. Note that this change is a forest wide change, so each and every DC in the forest should have access to these scripts.

Adding the unlock option to the context menu

You now need to add the context menu options to the user account and the OU objects in AD. To do so you need the following:

  1. ADSIEdit.MSC – found in the Windows 2000/2003 Support Tools (located on the installation CD)
  2. Enterprise Admin permissions

User account context menu:

  1. After installing the Support Tools, open ADSIEdit.MSC and navigate to the following path:
CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=dpetri,DC=net

Lamer note: Change the path to fit your own domain name…

  1. Right-click on the user-Display object and select Properties.
  2. The first attribute in the list of attributes for the object should be adminContextMenu. Double-click it or click on the Edit button.

user display small

  1. In the Sting Editor window of the adminContextMenu attribute, add the following line:
4,&Unlock User,zeusnetlogonunlock_user.vbs

Lamer note: Change the UNC path to fit your own path…

this image has been lost in time

  1. When done, click Add to add the line, then click Ok.

OU context menu:

  1. In ADSIEdit.MSC navigate to the following path:
CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=dpetri,DC=net

Lamer note: Change the path to fit your own domain name…

  1. Right-click on the organizationalUnit-Display object and select Properties.
  2. The first attribute in the list of attributes for the object should be adminContextMenu. Double-click it or click on the Edit button.
  3. In the Sting Editor window of the adminContextMenu attribute, add the following line:
3,&Unlock Users in OU,zeusnetlogonunlock_users_in_ou.vbs

Lamer note: Again, change the UNC path to fit your own path…
this image has been lost in time

  1. When done, click Add to add the line, then click Ok.
  2. Close ADSIEdit.MSC.

Testing

In order to test the context menu additions you’ll need to create some test users and cause them to become locked-out. I’ve created a test OU and in it I’ve created 4 users.
this image has been lost in time
Next, to cause the users to become locked-out, I wrote a small script that goes like this:

net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:kuku wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword
net use 127.0.0.1 /user:lulu wrongpassword

Lamer note: You must first enable the locking out of user accounts in the Default Domain GPO.
Close DSA.MSC if it was open, and re open it. Find the locked out users in the test OU. You can also use the following LDAP search string and create a saved search (also see LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003 and Saved Queries in Windows Server 2003 AD Users & Computers)

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

Right-click the locked-out user account and select the new context menu – Unlock User.
this image has been lost in time
Notice how the user is now unlocked.
In order to test the OU context menu, right-click the OU in which the locked-out users are located, and select the new context menu – Unlock Users in OU.
this image has been lost in time
Notice how a prompt is displayed telling you which users have been unlocked in the process.
this image has been lost in time

SHARE ARTICLE