PoshCode Archive  Artifact Content

Artifact ee5fa9955deba5881f1fe718198663aa63853249926b960332aa86ba5f45d1e9:

  • File Unlock-amp-Password-Reset.ps1 — part of check-in [7bc0a8763b] at 2018-06-10 13:31:17 on branch trunk — Never fails a user calls in or enters a helpdesk ticket with, I cant log in. This is a script provides everything I need to determine why: Password Expired? Account Locked? If Locked, which DCs? Are there other users that are locked, that havent noticed yet? (user: Matt Schmitt size: 9553)

# encoding: utf-8
# api: powershell
# title: Unlock & Password Reset
# description: Never fails a user calls in or enters a helpdesk ticket with, “I can’t log in”.  This is a script provides everything I need to determine why: Password Expired? Account Locked? If Locked, which DCs? Are there other users that are locked, that haven’t noticed yet?
# version: 1.0
# type: script
# author: Matt Schmitt
# license: CC0
# x-poshcode-id: 3800
# x-archived: 2012-12-03T17:08:04
# x-published: 2012-11-29T05:45:00
#
# This replaces using AD and the Account Lockout Status Tool.  It not only saves a little time, but has everything in one place.
# Twitter: @MatthewASchmitt
# LinkedIn: www.linkedin.com/in/matthewaschmitt
#
<#
  Author:   Matt Schmitt
  Date:     11/28/12 
  Version:  1.0 
  From:     USA 
  Email:    ithink2020@gmail.com 
  Website:  http://about.me/schmittmatt
  Twitter:  @MatthewASchmitt
  
  Description
  A script for forwarding and unforwarding email for users in Office 365.  
#>


Import-Module ActiveDirectory

Write-Host ""
Write-Host "PowerShell AD Password Tool"
Write-Host ""
Write-Host "This tool displays the Exparation Date of a user's Password and thier Lockedout"
Write-Host "Status.  It will then allow you to unlock and/or reset the password."
Write-Host ""

Write-Host ""

#Counts how many locked account there are on the local DC and sets it to $count
$count = Search-ADAccount –LockedOut | where { $_.Name -ne "Administrator" -and $_.Name -ne "Guest" } | Measure-Object | Select-Object -expand Count


#If there are locked accounts (other than Administrator and Guest), then this will display who is locked out.
If ( $count -gt 0 ) {

    Write-Host "Current Locked Out Accounts on your LOCAL Domain Controller:"
    Search-ADAccount –LockedOut | where { $_.Name -ne "Administrator" -and $_.Name -ne "Guest" } | Select-Object SamAccountName, LastLogonDate | Format-Table -AutoSize
    
}else{
    
#   Write-Host "There are no locked out accounts on your local Domain Controller."

}


Write-Host ""


#Asks for the username
$user = Read-Host "Enter username of the employee you would like to check or [ Ctrl+c ] to exit"
Write-Host ""
Write-Host ""
[datetime]$today = (get-date)

#Get pwdlastset date from AD and set it to $passdate
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user))"
$results=$searcher.findone()
$passdate = [datetime]::fromfiletime($results.properties.pwdlastset[0])

#Set password Age to $PwdAge
$PwdAge = ($today - $passdate).Days

If ($PwdAge -gt 90){

    Write-Host "Password for $user is EXPIRED!"
    Write-Host "Password for $user is $PwdAge days old."

}else{

    Write-Host "Password for $user is $PwdAge days old."

}


Write-Host ""
Write-Host ""
Write-Host "Checking LockedOut Status on defined Domain Controllers:"

#Get Lockedout status and display

# ---> IMPORTANT:  You need to change DC01.your.domain.com & DC02.your.domain.com to the FQDN of your Domian Controlls

switch (Get-ADUser -server DC01.your.domain.com  -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout) { "False" {"DC01:      Not Locked"} "True" {"DC01:    LOCKED"}}

switch (Get-ADUser -server DC02.your.domain.com  -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout) { "False" {"DC02:      Not Locked"} "True" {"DC02:    LOCKED"}}

# ---> You can add more domain controllers to list, by copying one of the lines, then Modifying the text to reflect your DCs.


Write-Host ""
Write-Host ""


[int]$y = 0


$option = Read-Host  "Would you like to (1) Unlock user, (2) Reset user's password, (3) Unlock and reset user's password or (4) Exit?"

cls

While ($y -eq 0) {
    
    switch ($option)
    {
        "1" { 
                
                # ---> IMPORTANT:  You need to change DC01.your.domain.com & DC02.your.domain.com to the FQDN of your Domian Controlls
                
                Write-Host "Unlocking account on DC01"
                Unlock-ADAccount -Identity $user -server DC01.your.domain.com 
                
                Write-Host "Unlocking account on DC02"
                Unlock-ADAccount -Identity $user -server DC02.your.domain.com  
                
                # ---> You can add more domain controllers to list, by copying one of the lines, then Modifying the text to reflect your DCs.                           
                
                
                #Get Lockedout status and set it to $Lock
                $Lock = (Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout)

                Write-Host ""

                #Depending on Status, tell user if the account is locked or not.
                switch ($Lock)
                {
                    "False" { Write-Host "$user is unlocked." }
                    "True" { Write-Host "$user is LOCKED Out." }
                }                
                
            
                Write-Host ""
                Write-Host "Press any key to Exit."
                
                $y += 1
                
                $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
                
            
            }
        "2" { 
                
                $newpass = (Read-Host -AsSecureString "Enter user's New Password")
                
                
                Write-Host ""
                Write-Host "Resetting Password on local DC..."
                Write-Host ""
                Set-ADAccountPassword -Identity $user -NewPassword $newpass
                
                Write-Host ""
                Write-Host "Resetting Password on DC02"
                Write-Host ""
                
                # ---> IMPORTANT:  You need to change DC01.your.domain.com & DC02.your.domain.com to the FQDN of your Domian Controlls
                
                Set-ADAccountPassword -Server DC02.your.domain.com -Identity $user -NewPassword $newpass
                
                # ---> You can add more domain controllers to list, by copying one of the lines, then Modifying the text to reflect your DCs.
                             
                           
                Write-Host ""
                Write-Host "Press any key to Exit."
                $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
                
                $y += 1
    
            }
        "3" {
    
                $newpass = (Read-Host -AsSecureString "Enter user's New Password")
                
                Write-Host ""
                Write-Host "Resetting Password on Local DC..."
                Write-Host ""
                Set-ADAccountPassword -Identity $user -NewPassword $newpass
                
                Write-Host ""
                Write-Host "Resetting Password on DC02"
                Write-Host ""
                
                # ---> IMPORTANT:  You need to change DC01.your.domain.com & DC02.your.domain.com to the FQDN of your Domian Controlls
                
                Set-ADAccountPassword -Server DC02.your.domain.com -Identity $user -NewPassword $newpass
                
                # ---> You can add more domain controllers to list, by copying one of the lines, then Modifying the text to reflect your DCs.
                
                Write-Host ""
                Write-Host "Password for $user has been reset."
                Write-Host ""
                
                
                # ---> IMPORTANT:  You need to change DC01.your.domain.com & DC02.your.domain.com to the FQDN of your Domian Controlls
                
                Write-Host "Unlocking account on DC01"
                Unlock-ADAccount -Identity $user -server DC01.your.domain.com
                
                Write-Host "Unlocking account on DC02"
                Unlock-ADAccount -Identity $user -server DC02.your.domain.com                

                # ---> You can add more domain controllers to list, by copying one of the lines, then Modifying the text to reflect your DCs.
                

                
                #Get Lockedout status and set it to $Lock
                $Lock = (Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout)

                Write-Host ""

                #Depending on Status, tell user if the account is locked or not.
                switch ($Lock)
                {
                    "False" { Write-Host "$user is unlocked." }
                    "True" { Write-Host "$user is LOCKED Out." }
                }                
                
            
                Write-Host ""
                Write-Host "Press any key to Exit."

                
                $y += 1
                
                $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
    
            }
        
        "4" {
    
                #exit code
                $y += 1
    
            }
            
        default {
                
                Write-Host "You have entered and incorrect number."
                Write-Host ""
                $option = Read-Host  "Would you like to (1) Unlock user, (2) Reset user's password, (3) Unlock and reset user's password or (4) Exit?"
        
            }
    }
}