locked
Restrict the Admin account to unlock a single user account not more than two times in a day. RRS feed

  • Question

  • Dear Team,

    We want to restrict the Admin account to unlock a single user account not more than two times in a day. Since there is no default option available, we need assistance here using any script.

    Thanks

    Jijo Antony. K

    Monday, September 3, 2018 10:31 AM

All replies

  • Hi,

    No one here will give you the solution. We can help you, not doing the work. So first, take a look at this : https://docs.microsoft.com/en-us/powershell/module/addsadministration/unlock-adaccount?view=win10-ps

    and try to record the action by a flag to a file.

    If you provide a begining of your solution I can help you.


    The key of learning is practice.

    Monday, September 3, 2018 3:16 PM
  • There is no built in solution to achieve what you want. You can either grant someone permissions to unlock an account or not. If you are working providing a script that writes a flag to a file and checks it before running, what is stopping the user from modifying the script?

    If this is really what you want, you should look into Azure Automation.

    • Register a Hybrid Worker in a Hybrid Worker Group;
    • Use a service account with the Hybrid Worker Group that has enough permissions to unlock AD users;
    • Create a PowerShell runbook that unlocks AD accounts and for example updates a variable asset containing the date + count;
    • If the variable asset contains two actions on one day, make the runbook fail;
    • Grant access using RBAC for starting only that Azure Automation Runbook;
    • Instruct the user to start the Runbook (on the Hybrid Worker Group);


    Monday, September 3, 2018 7:40 PM