Unlock multiple(all) users

Question

Hello
How to unlock multiple(all) users in Adaxes?
Is it possible to enable link 'select all objects on all pages' in "Unlock account" menu .... or use powershell... :? :? :? :?:
Thanks
I have Adaxws Web I-face 2012.1

Answer 1

Hello,

The Unlock User Home Page Action allows you to unlock multiple user accounts simultaneously if you've enabled the Allow multiple selection option. For more details, see Step 3 in section Enable/Disable/Unlock Account of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ableenable. However, the Select all objects on all pages is not available for this Action. In Adaxes 2015.1, we'll change the look and feel of Adaxes Web Interface. As a part of it, we'll make it easier to execute actions on multiple objects.

For now, you can use the following script to unlock all locked accounts:

# Find all locked user accounts
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(lockoutTime=*))"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("msDS-User-Account-Control-Computed"))
$searcher.VirtualRoot = $True

$searcherResult = $searcher.ExecuteSearch()
$users = $searcherResult.FetchAll()
$searcherResult.Dispose()

$ADS_UF_LOCKOUT = [Softerra.Adaxes.Interop.Adsi.PersistentObjects.ADS_USER_FLAG_ENUM]::ADS_UF_LOCKOUT
foreach ($userId in $users)
{
    $msDsUserAccountControlValue = $userId.Properties["msDS-User-Account-Control-Computed"].Value
    if ($msDsUserAccountControlValue -eq $NULL)
    {
        continue
    }

    if ($msDsUserAccountControlValue -band $ADS_UF_LOCKOUT)
    {
        # Unlock account
        $user = $Context.BindToObject($userId.AdsPath)
        $user.IsAccountLocked = $False
        $user.SetInfo()
    }
}

You can use the script with Business Rules, Scheduled Tasks or Custom Commands. For example, you can create a Custom Command that allows to unlock all accounts upon request. To create such a Custom Command:

1. Create a new Custom Command.
2. On the 3rd step of the Create Custom Command wizard, select the Show all object types option.
3. Select the Domain-DNS object type.
   
4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the above script in the Script field.
   
5. Add a short description for the script and click OK.
6. Finish creation of the Custom Command.

Now, you can run the Custom Command on any of your AD domains to unlock all locked users in all domains managed by Adaxes.

You can also create a Home Page Action for Adaxes Web interface to be able to unlock all accounts right from the Home Page. For information on how to launch a Custom Command as a Home Page Action, see section Custom Command in the following tutorial: http://www.adaxes.com/tutorials_WebInte ... #executecc. On step 3 of the section, you will find information on how to configure the action to be always executed on a specific domain. Since it doesn't really matter, on which domain the script will be executed, you can enable this option and specify any of your domains for the Web Interface to skip the domain selection step when executing the action.

Comments

Thanks for your answer. It really helped me out

I found a script slightly less to unlock all accounts (powershell):

import-module adaxes
search-admaccount -lockedout | unlock-admaccount

---

Hello,

The script that you've fund will unlock all accounts only within the domain where the script is run. In case if you are running it from a Business Rule, Custom Command or Scheduled Task, it will unlock users only within the domain where Adaxes service is installed.

---

We are looking to implement an action that will unlock our generic accounts whenever they get locked out. These accounts are in a few different OUS across two domains. Can we use a version of this script to unlock only the locked accounts with a certain Security group assigned? We were thinking of adding Auto Unlock Accounts group to the generic accounts needing this action, we would also want a notification email to be sent out as a safety catch and tracking of how many times this triggered on these specific accounts.

---

Hello,

We are looking to implement an action that will unlock our generic accounts whenever they get locked out.

There is no possibility to trigger a Business Rule on locking an account. You can use a Scheduled Task instead.

These accounts are in a few different OUS across two domains.

You can include OUs from multiple domains into the activity scope of the Scheduled Task.

Can we use a version of this script to unlock only the locked accounts with a certain Security group assigned?

You can check user group membership using the built in If is a member of <Group> condition.
To create the Scheduled Task:

1. Launch Adaxes Administration Console.

2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.
   

3. On step 3 of Create Scheduled Task wizard select User Object type and click Next.
   

4. Click Add Action and select Run a program or Powershell script.

5. Enter a short description and paste the script below into the Script field.

    $Context.TargetObject.IsAccountLocked = $False
    $Context.TargetObject.SetInfo()

   

6. Click OK and double-click Always.

7. Select If is a member of <Group> and click Select Group.
   

8. Select the required group and click OK twice.

9. Right-click the condition and click Add New Condition.
   

10. Select If account is enabled / disabled / locked.

11. Select If the User account is locked out and click OK.
    

12. Right-click the condition again and click Add Action.
    

13. Select Send e-mail notification.

14. Specify the Action Parameters and click OK.
    

15. Click Next and finish creating the Scheduled Task.

---

Thank you Supoort2, this worked flawlessly. Can we ask for an addition if possible. Can this only unlock it 3 times before it won't do it again?

---

Hello,

You can use an Integer custom attribute to store the number of attempts (e.g. CustomAttributeInt1). If the value of the attribute is 3, the account won’t be unlocked and an email notification will be sent. To modify the Scheduled Task:

1. Launch Adaxes Administration Console.

2. Navigate to Configuration/Scheduled Tasks and select the task.

3. In the Result Pane, double-click the Run PowerShell script action.

4. Replace the existing script with the following:

    $Context.TargetObject.IsAccountLocked = $False
   
    try
    {
        $count = $Context.TargetObject.Get("adm-CustomAttributeInt1")
        $count++
    }
    catch
    {
        $count = 1
    }
   
    $Context.TargetObject.Put("adm-CustomAttributeInt1", $count)
    $Context.TargetObject.SetInfo()

5. Click OK.

6. Right-click the action and click Add Condition.

7. Select If <property><relation><value>.

8. Select If CustomAttributeInt1 does not equal 3 and click OK.
   

9. Click Add action to a new set.
   

10. Select Send e-mail notification.

11. Specify Action Parameters and click OK.
    

12. Double-click Always.

13. Select If <property><relation><value>.

14. Select If CustomAttributeInt1 equals 3.
    

15. Click OK.

16. Right-click the condition and click Add New Condition.
    

17. Select If account is enabled / disabled / locked.

18. Select If the User account is locked out.
    

19. Click OK and save the changes. You should have something like the following: