locked
Lockdown a active directory user account RRS feed

  • Question

  • Hello,

    Is it possible to lockdown a active directory user account with command prompt or powershell?

    Monday, April 7, 2014 3:32 PM

Answers

  • Hello.

    It is possible to manually lock out a user account. I just tested it. What I did was, trying to map a network drive with wrong credentials. I suggested this in my previous post to. You must use the command like this if you want to lock out your user:

    net use L: \\IP_Address\Shared_Folder /User:domain\username WRONG_PASSWORD


    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as and helpfull to other poeple.

    • Proposed as answer by bshwjt Tuesday, April 8, 2014 4:31 AM
    • Marked as answer by Ortaç Demirel Tuesday, April 8, 2014 8:32 AM
    Tuesday, April 8, 2014 3:33 AM

All replies

  • Hello,

    How about trying to create a map drive using the wrong credentials over and over again until the account locked out? You can achieve this using net use command via command prompt.



    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as and helpfull to other poeple.

    • Proposed as answer by bshwjt Tuesday, April 8, 2014 4:30 AM
    Monday, April 7, 2014 4:48 PM
  • Monday, April 7, 2014 5:01 PM
  • What exactly are you trying to lock down? If you are wanting them to only run a single app - you can enable the custom user interface: http://deployhappiness.com/group-policy-kiosk-mode-locking-down/

    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    Monday, April 7, 2014 5:33 PM
  • I found this link:

    http://social.technet.microsoft.com/forums/windowsserver/en-US/007db067-d0b6-4ee6-8fee-ae14e251a121/lock-ad-user

    I think that it is not possible..


    Monday, April 7, 2014 6:31 PM
  • Hello.

    It is possible to manually lock out a user account. I just tested it. What I did was, trying to map a network drive with wrong credentials. I suggested this in my previous post to. You must use the command like this if you want to lock out your user:

    net use L: \\IP_Address\Shared_Folder /User:domain\username WRONG_PASSWORD


    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as and helpfull to other poeple.

    • Proposed as answer by bshwjt Tuesday, April 8, 2014 4:31 AM
    • Marked as answer by Ortaç Demirel Tuesday, April 8, 2014 8:32 AM
    Tuesday, April 8, 2014 3:33 AM
  • from PowerShell help:

    >>get-help -name disable-adaccount -examples

    NAME
        Disable-ADAccount

    SYNOPSIS
        Disables an Active Directory account.

        -------------------------- EXAMPLE 1 --------------------------

        C:\PS>Disable-ADAccount -Identity KimAb


        Description

        -----------

        Disables the account with SamAccountName: KimAB.
        -------------------------- EXAMPLE 2 --------------------------

        C:\PS>Disable-ADAccount -Identity "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"


        Description

        -----------

        Disables the account with DistinguishedName: "CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM".
        -------------------------- EXAMPLE 3 --------------------------

        C:\PS>Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" |
        Disable-ADAccount


        Description

        -----------

        Disables all accounts in the OU: "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM".


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes


    Tuesday, April 8, 2014 6:11 AM
  • Thank you Mahdi,

    What about if i choose password never expires setting for user. Is it still work?


    Tuesday, April 8, 2014 6:19 AM
  • Disable account is totaly different situation. Please do not reply it. To make a disable status is very easy method and it does not mean LOCK a user account.
    Tuesday, April 8, 2014 6:22 AM
  • There is really no relation between 'Password never expires' and your scenario. The 'Password never expires' simply let the user to have his/her password as long as he wants. There is only one setting related to account lock outs and it is in group policy. In most organization they keep this setting value with 3 unsuccessful logons for sensitive accounts.

     

    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as and helpfull to other poeple.

    Tuesday, April 8, 2014 6:39 AM
  • Mahdi,

    Did you try net use command from remote server (like dc ) or user's machine?

    Tuesday, April 8, 2014 7:44 AM
  • I did try this on my own machine which I use for regular uses. But it really does not matter. What you have to do is to use wrong credentials. It is some sort of DOS attack on AD users.

    Regards.


    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as and helpfull to other poeple.

    Tuesday, April 8, 2014 8:09 AM
  • Thank you Mahdi.
    Tuesday, April 8, 2014 8:31 AM
  • You are welcome. Glad it helped.

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, April 8, 2014 8:36 AM
  • Disable account is totaly different situation. Please do not reply it. To make a disable status is very easy method and it does not mean LOCK a user account.

    i'm not sure what you trying to do, check out links below if this is what you are trying to accomplish.

    Windows 2012 Account Lockout Policy (for whole domain)
    http://technet.microsoft.com/en-us/library/hh994563.aspx

    For specific account (the hardway don't do if you're not familiar with ADSI editing) PSO
    Fine-Grained Password and Account Lockout Policy Review
    http://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

    Tuesday, April 8, 2014 9:14 AM