Worm spreads across network. Powershell chosen as ally to opposition.

Adam Bertram

Adam Bertram

Read more posts by this author.

Picture this. You drive into work, grab a cup of coffee, sit down at your desk and log in. It’s a typical day; a couple of tickets came in overnight, last night’s backups completed successfully and you’ve only got 20 emails tagged as “high priority” by users. Suddenly you hear frantic footsteps incoming and your antivirus guy pops in with an urgent message. “Susan in Accounting opened up an email and released a 0-day worm onto the company network! I’ve called support and they’re working on a definition update but they don’t have one yet! It’s locking people’s accounts out like crazy!!”

You sigh and are insanely grateful you don’t have to manage A/V today. However, you’re not off the hook. Because this worm is nearly ALL user accounts out people can’t work and are getting authentication failures left and right. You’ve gotta do something in the mean time to at least try to get people logged in. This means you’ve gotta do some major Active Directory user account unlocking. Active Directory Users and Computers isn’t feasible. That’d take forever. Eureka! PowerShell will do this!

You’ve been an Active Directory guy for a long time but only recently picked up Powershell. Luckily for you, you took Adam Bertram’s Powershell: A Getting Started Guide for IT Admins course and are setup to manage Active Directory now. You Google around a little bit and find this post, run the below snippet and you’ve done your part to help the business while the A/V guy comes unglued.

In all seriousness, this is a real issue as you might know. I’ve been there a few times and have had to cobble together some ugly VBscript to get the job done. Thankfully, with Powershell we now can get this done in a couple of lines. There’s one part I’d like to point out; filtering on only those locked out today. There’s been times where in panic-mode I unlocked every account in the entire domain not knowing some had been locked for weeks/months/years and were intended to stay locked. When crisis ensues, don’t fix the crisis and make yourself another in the process.

## Find every account locked out in the domain that was locked out today $users = Search-ADAccount -LockedOut -UsersOnly | Where-Object { [datetime]::FromFileTime((get-aduser $_ -Properties lockouttime).lockouttime).Date -eq (Get-Date).Date }

## Write the username to the console while unlocking each account in case you want to see your results
$users | ForEach-Object {
    Unlock-AdAccount $_.samAccountName

This is a quick and dirty script. It works but you could put a lot more bells and whistles onto it if you’d like.

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!