how to unlock accounts that meet certain conditions
I am trying to unlock several accounts in Active Directory through PowerShell, but I can't figure it out how to link every condition into the query
The conditions are:
-The account should be enabled
-It shouldn't be "memberof" some groups (whose I'm not able to unlock, like Administrators)
I don't have full control over accounts, I'm not able to unlock some of them, due to my privileges, so I'll be very helpful if can you help me to know or simple discard the accounts that I'm not able to unlock
I've just tried this
Search-ADAccount -LockedOut | Unlock-ADAccount
(Very poor attempt, i know, I'm very new on this technology)
But gives me an error because of my account's privileges
It says: access rights are insufficient to perform the action. The error is the same for different CN accounts
I'm able to unlock some accounts, but when I run the command Unlock-ADAccount, I think it try to unlock accounts like administrator, some disabled acc, for which I don't have permission to modify, but if I run that command on an individual "regular" account, it gets unlocked
This due to the blocking of inheritance of permissions applied to domain Admins accounts & due to Security Descriptor propagator (SDPROP).... It's not recommended, as it's a critical mechanism in my opinion, but you might :
- create a specific delegation for a group
- and append this group to the Access Control Entry (ACE) of this kind of template folder for admin permissions: 'CN=AdminSDHolder,CN=System,DC=example,DC=com' (with the help of LDP.exe)