Automatically unlocking a service account in Active Directory

24 Nov 2013

Yes, crazy that this can happen. But sometimes you just have to live by other people’s (i.e the sysadmin’s) rules. 

Here’s some VBScript on making sure a service account stays unlocked. You can schedule it to run periodically. The account it’s run as needs permission to unlock the service account, obviously.

  1. Set objUser = GetObject(“LDAP://CN=user1, CN=Users, DC=dc1 DC=contoso, DC=com”)
  2.  
  3. If IsLockedOut(objUser) Then
  4. objUser.Put “lockouttime”,0
  5. objUser.SetInfo
  6. wscript.echo Date() & “ ” & Time() &- user has been unlocked -& objUser.sAMAccountName
  7. End If
  8.  
  9. Function IsLockedOut(objUser)
  10. on Error resume next
  11. Set objLockout = objUser.get(“lockouttime”)
  12. if Err.Number = E_ADS_PROPERTY_NOT_FOUND then
  13. IsLockedOut = False
  14. Exit Function
  15. End If
  16. On Error GoTo 0
  17. if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
  18. IsLockedOut = False
  19. Else
  20. IsLockedOut = True
  21. End If
  22. End Function

Comments

Excellent post, thanks for sharing.

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang target> <em> <strong> <cite> <blockquote cite> <pre> <ul type> <ol start type> <li> <dl> <dt> <dd> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.

Get a quote in 24 hours

Wether a huge commerce system, or a small business website, we will quote the project within 24h of you pressing the following button: Get quote