I'm looking for ways to unlock Active Directory (AD) accounts without having to rely on remote desktop access, especially when I'm on call. Is it possible to achieve this using a simple SSH session or PowerShell on Linux? If scripting is necessary, I'm open to that, but I'm hoping for a straightforward method instead.
4 Answers
You can set up an SSH connection to a Windows host and use PowerShell to unlock accounts. We have a method where we use a 'secret' to decrypt credentials and then unlock the account using elevated rights. Just keep in mind that security is important—make sure to implement two-factor authentication (2FA) if you choose this route!
It’s frustrating that Microsoft includes older versions by default. What would I lose if I just installed the latest version from source instead?
There are definitely better ways to unlock AD accounts than resorting to SSH. Have you thought about using a dedicated tool? AD Manager Plus has a mobile app that could be super convenient for this, especially when you're in a pinch.
If it were free, I would definitely consider that option. I'm looking for something simple and cost-effective!
You could also use PowerShell remoting. A simple command like `Search-ADAccount -LockedOut | Unlock-ADAccount` could help you unlock accounts through an active PS session without needing to RDP in.
Have you thought about using adcli? It might be a more convenient tool for interacting with AD from Linux systems if you're looking to unlock accounts.
Just be cautious with admin authorized keys on Windows' OpenSSH. If someone leaves but their key is still in the system, they could still gain access. Make sure you're tracking key changes!