2017-09-28

AD User Account 鎖定時的解鎖方式 Lock / Unlock

當 User 密碼輸入錯誤超過 GPO 中設定的次數限制時
AD 會將該 User Account Lockdown 避免被暴力破解等可能的風險
但其實多半的原因都是 User 改密碼後忘記, 或因為有記住的密碼未清除的問題造成
先前都是用微軟官方提供的 這個程式 直接在 DC 上面去處理 Unlock

但最近發現如果在非 DC 上面, 用 Runas 的方式去跑這個程式時
Unlock 選項會是灰色的, 無法進行解鎖
但如果透過 PowerShell 下指令卻又可以解鎖, 揪竟是為什麼真是令人費解
無奈下只好寫了一個 PowerShell Script 來處理這件事情
以下為程式碼, 只要修改最前面的 $Script:SearchDomain 就可以適用於各環境
即使是跨 TrustDomain , 只要有權限都可以用

$Script:SearchDomain = "Contoso.com"

Import-Module ActiveDirectory

$Script:TargetUserAccount = ""

Function MainBoard {
$Script:TargetUserAccount = ""
while ($Script:TargetUserAccount -eq "") {
cls
write-host ""
$Script:EnterString = "`tEnter User Account (Enter to Reload / q to Leave)"
$Script:TargetUserAccount = (Read-Host $Script:EnterString)
MainCheck;
}
}

Function MainCheck {
if ( ($Script:TargetUserAccount -eq "q") -or ($Script:TargetUserAccount -eq "Q") ) {
write-host ""
write-host "`tPress any key to leave ..."
write-host ""
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
exit;
} elseif ($Script:TargetUserAccount -eq "") {
} else {
$SearchDomainDCsObject = new-object 'System.DirectoryServices.ActiveDirectory.DirectoryContext'("Domain", $Script:SearchDomain)
$SearchDomainDCs = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($SearchDomainDCsObject) | select Name

$Script:DCName = @()
$Script:AccountLockoutTime = @()
$Script:LockedOut = @()

$User = Get-ADUser -LDAPFilter "(sAMAccountName=$Script:TargetUserAccount)" -Server $SearchDomainDCs[0].Name
If ($User -eq $Null) {
write-host ""
write-host "`tUser Account Not Exists!";
write-host ""
write-host "`tPress any key to try again ..."
write-host ""
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
MainBoard;
} else {
write-host ""
Foreach($DC in $SearchDomainDCs) {
$DCShownName = $DC.Name.replace($Script:SearchDomain,"")
$DCShownName =$DCShownName.replace(".","")
write-host -NoNewline "`tChecking Account Status on" $DCShownName "... ";
$TestComputerOnline = $False
$TestComputerOnline = Test-Connection -computername $DC.Name -quiet -count 1
if ($TestComputerOnline -eq $True) {
$UserLockedOutStatus = Get-ADUser -Identity $Script:TargetUserAccount -Server $DC.Name -Properties AccountLockoutTime,LockedOut
$Script:DCName += @($DCShownName)
$Script:AccountLockoutTime += @($UserLockedOutStatus.AccountLockoutTime)
$Script:LockedOut += @($UserLockedOutStatus.LockedOut)
write-host "Checked";
} else {
write-host "Cannot be connected.";
}
}
write-host ""
write-host "`t DC `t`t Locked Out`t Time"
write-host "`t--------------- --------------- ---------------------"
for ($i=0;$i -lt $Script:DCName.Count;$i++) {
write-host "`t" $Script:DCName[$i] "`t" $Script:LockedOut[$i] "`t`t" $Script:AccountLockoutTime[$i]
};
write-host ""
$Script:EnterString = "`tUnlock? (Y = Yes / Enter to check another user / q to Leave)"
$Script:UnlockUserAccount = (Read-Host $Script:EnterString)

if ( ($Script:UnlockUserAccount -eq "q") -and ($Script:UnlockUserAccount -eq "Q") ) {
write-host ""
write-host "`tPress any key to leave ..."
write-host ""
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
exit;
} elseif ( ($Script:UnlockUserAccount -eq "y") -and ($Script:UnlockUserAccount -eq "Y") ) {

write-host ""
for ($i=0;$i -lt $Script:DCName.Count;$i++) {
if ($Script:LockedOut[$i] -eq $True) {
write-host "`tUnlocking user on" $Script:DCName[$i]
Unlock-ADAccount -Identity $User -Server $Script:DCName[$i]
};
};
write-host ""
write-host "`tRechecking user status ..."
MainCheck;
write-host ""
write-host "`tPress any key to check another User ..."
write-host ""
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
};
MainBoard;
};
};
};

MainBoard;

沒有留言: