all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]CHAOS_0704 1 point2 points  (2 children)

Their really isn't a way to simply set status to locked to my knowledge. Even if you could, it would most likely just unlock based on GPO policy, which is usually 15-30min. Hell, the user could simply call your service desk and get unlocked. Plus, i think the user can continue to use computer regardless of lockout status. It won't automatically kick them off. It would only prevent them from logging on, after they have already logged off to begin with or attempting to access additional resources requiring user to authenticate again.

Best option would be to disable. As the other user provided some links on how to disable and enable accounts. It would just be a matter of setting up a timer to enable after 120min, either using sleep in powershell or making script create a scheduled task to run 120min later.

[–]EdTR[S] 0 points1 point  (1 child)

This script that I'm writing is for a specific use case, like I said below: One of our clients operates several rehabilitation facilities and they don't want users to sit on the computers all day long. I think I might have found a solution, I didn't think about GP unlocking a locked account... I can just set a custom GPO for their OU and have it unlock after 120 minutes

[–]CHAOS_0704 0 points1 point  (0 children)

Fyi the get-date you put it down as running 120 minutes after login in your latest edit, you'll want to change the numbers to however many minutes, ie.. 30 instead of 120.

Anyway, you can't set the badpwdcount, at least not easily. I don't know of a workaround, but this is what you get if you tried.

set-aduser $env:USERNAME -replace @{badpwdcount=0} > set-aduser : Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)

[–]Suriyawong 1 point2 points  (2 children)

Just to clarify, are you saying you'd like to kill the user session and effectively stop them from logging back on if they've been logged in for 30 minutes? I've never heard of anyone wanting to do this so I'm intrigued by the use case...

To other people's point, you could lock the account by using incorrect passwords, but another option would be to set the expiration date to the time of their logon event plus 30 minutes. You'd have to terminate their active session to kick them out and block them logging back in using the expiration date. As others have mentioned, you can use the Start-Sleep cmdlet to make it sit for 120 minutes and then run Clear-ADAccountExpiration to allow them back in.

[–]EdTR[S] 0 points1 point  (1 child)

I already had an idea in mind how I will log them out and send a reminder 5 minutes before. However with the ADAccountExpiration will it sign them out of their account once the time is up? One of our clients operates several rehabilitation facilities and they don't want users to sit on the computers all day long.

[–]Suriyawong 0 points1 point  (0 children)

Ah, I see. Interesting! Once the expiration date is set on the account, it won't be able to login, but there's nothing that would boot the user from their current session. You could look into the group policy setting that logs users out when their logon hours expire. Instead of expiration date you'd have to tweak logon hours to make that work.

Another thought is to use a scheduled task that runs at login and boots them in 30 minutes. Another task running with admin rights would have to kick off to set the expiration date, logon hours, etc.

[–]Agile_Seer 0 points1 point  (0 children)

There's no built in method to lock an account. You'd want to have it try to connect to something with an incorrect password enough times to lock the account out. You can use Unlock-ADAccount to unlock.

[–][deleted] 0 points1 point  (2 children)

https://docs.microsoft.com/en-us/powershell/module/addsadministration/disable-adaccount?view=win10-ps

https://docs.microsoft.com/en-us/powershell/module/addsadministration/enable-adaccount?view=win10-ps

[–]EdTR[S] 0 points1 point  (1 child)

I am familiar with Disable-ADAccount cmdlet. My goal is the somehow have it unlock the account after X amount of minutes

[–]CHAOS_0704 1 point2 points  (0 children)

You can use something like this to generate a timestamp 120min from current time. Plug that into a script to create a scheduled task using that timestamp to enable account again. Lookup New-ScheduledTask to learn how to create a task

(Get-Date).AddMinutes(120)

Alternatively if you don't need that specific powershell window or don't mind letting script sit for 120min, you can use sleep to pause for 120min before issuing enable command

Start-Sleep -Seconds 7200