I have scripted UnlockUsr.bat to allow an ordinary user to simply unlock a user account, after you grant them the privilege
using any of the following methods:
How can I delegate the unlock account right?
How do I use ADSIEDIT to grant Help Desk personnel the right to unlock locked user accounts?
How can I delegate the right to unlock locked user accounts, in a batch file?
To use the UnlockUsr.bat script, create a shortcut to UnlockUsr.bat and place it on the desktop or Start menu.
When the user double-clicks the desktop shortcut, or clicks the Start menu shortcut, they are prompted with:
Please enter the user account to unlock.
After they type the NetBIOS user account, the account is validated. If it does NOT exist, they receive:
Account <NetBIOS User Account> NOT found.
Please enter the user account to unlock.
When a valid account has been entered, they receive:
Please enter the Domain Controller to unlock <NetBIOS User Account>, <User's Full Name>, at, or just press Enter.
If they press Enter, the default Domain Controller for the locked out user is used.
If then enter a NetBIOS computer name and that computer does NOT respond, they receive:
Domain Controller <NetBIOS Computer Name> does not respond.
Please enter the Domain Controller to unlock <NetBIOS User Account>, <User's Full Name>, at, or just press Enter.
They then receive:
Unlock V02.00.00cpp Joe Richards ([email protected]) March 2003
Processed at <ComputerName.DomainName.COM>
Default Naming Context: <DC=DomainName,DC=COM>
If the user account was NOT locked, they receive:
User account <NetBIOS User Account>, <User's Full Name>, was not locked.
Finally, they receive:
Press Enter to exit, or press any key and Enter to unlock another user.
Example:
Please enter the user account to unlock. doej Please enter the Domain Controller to unlock doej, John Doe, at, or just press Enter. Unlock V02.00.00cpp Joe Richards ([email protected]) March 2003 Processed at jsi001.JSIINC.COM Default Naming Context: DC=JSIINC,DC=COM Press Enter to exit, or press any key and Enter to unlock another user.NOTE: UnlockUsr.bat uses Unlock.exe, which must be in a folder that is in the PATH.
UnlockUsr.bat contains:
@echo off
setlocal
:getuser
set /p user=Please enter the user account to unlock.
if "%user%" EQU "" goto getuser
set FN=N
for /f "Tokens=1,2*" %%a in ('net user %user% /domain^|Findstr /I /C:"Full"^|Findstr /I /C:"Name"') do (
set FN=%%c
)
if "%FN%" EQU "N" @echo Account %user% NOT found.&goto getuser
:getdc
set dc=
set /p dc=Please enter the Domain Controller to unlock %user%, %FN%, at, or just press Enter.
if "%dc%" EQU "" set dc=.&goto dounlock
set OK=N
for /f "Tokens=*" %%p in ('@ping -n 1 %dc% ^|Findstr /I /C:"Reply from"') do (
set OK=Y
)
If "%OK%" EQU "N" @echo Domain Controller %dc% does not respond.&goto getdc
:dounlock
set OK=N
for /f "Tokens=*" %%u in ('Unlock %dc% %user% -force ^|findstr /I /C:"LOCKED"') do (
set OK=Y
)
if "%OK%" EQU "Y" goto finish
if "%dc%" EQU "." @echo User account %user%, %FN%, was not locked.&goto finish
@echo User account %user%, %FN%, was not locked at %dc%.
:finish
set ans=
set /P ans=Press Enter to exit, or press any key and Enter to unlock another user.
if "%ans%" NEQ "" goto getuser
endlocal
