Script to Ensure an Account Remains Unlocked

This is a useful little script for pre-2008 domains* that checks to see if an account is locked out, and will unlock that account if it is.

I've used this as a scheduled task to ensure that a vital service account (used to auto logon to kiosk stations) does not become locked out.

' ----- Script Configuration -----
strUsername = "USERNAME"
strDomain = "DOMAIN"
' ----- End Configuration --------

set objUser = getObject("WinNT://" & strDomain & "/" & strUsername)
IF ObjUser.IsAccountLocked = TRUE then
objUser.IsAccountLocked = FALSE
objUser.Setinfo
end if

* For a 2008 domain I would create a PSO to achieve the same effect.

Active Directory Web Services on 2003

The 2008 R2 feature that allows you to run Powershell AD commands against a remote DC can now be installed on a 2003 server.

The download is on the Microsoft site here (Active Directory Management Gateway Service).

I've used this to perform cross-forest group management between 2008 and 2003 DC's by installing the management gateway on the 2003 DC and then calling a group name in forest1 and saving it as a variable

This will nest the group Forest1\SampleGroup in to the group Forest2\SampleGroup (provided group scope allows), when run on a DC in Forest1.

> $Forest1Group = Get-ADGroup SampleGroup
> Add-ADGroupMember SampleGroup -Members $Forest1Group -server ServerName.Forest2.com

This is the entry on the AD Powershell blog about the service and this article covers the cross forest functionality.

A New Blog

This blog is intended to help me collect together various things I want to remember, with a focus on technology tips and tricks I've picked up over the years.