Automatically unlocking a service account in Active Directory

24 Nov 2013

Yes, crazy that this can happen. But sometimes you just have to live by other people’s (i.e the sysadmin’s) rules. 

Here’s some VBScript on making sure a service account stays unlocked. You can schedule it to run periodically. The account it’s run as needs permission to unlock the service account, obviously.

Set objUser = GetObject(“LDAP://CN=user1, CN=Users, DC=dc1 DC=contoso, DC=com”)
If IsLockedOut(objUser) Then
  objUser.Put “lockouttime”,“0”
  objUser.SetInfo
  wscript.echo Date() & “ ” & Time() &“ - user has been unlocked - ” & objUser.sAMAccountName
End If
Function IsLockedOut(objUser)
  on Error resume next
  Set objLockout = objUser.get(“lockouttime”)
  if Err.Number = E_ADS_PROPERTY_NOT_FOUND then
    IsLockedOut = False
    Exit Function
  End If
  On Error GoTo 0
  if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
    IsLockedOut = False
  Else
    IsLockedOut = True
  End If
End Function

Comments

Excellent post, thanks for sharing.

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang target> <em> <strong> <cite> <blockquote cite> <pre> <ul type> <ol start type> <li> <dl> <dt> <dd> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.

Get a quote in 24 hours

Wether a huge commerce system, or a small business website, we will quote the project within 24h of you pressing the following button: Get quote