Windows Unlock Device Script

Problem Overview

In the aftermath of a lockout—whether triggered by a security event or an accidental account issue—IT pros often need a straightforward method to restore access for authorized users. This script simplifies that challenge by automatically enabling both local and domain user accounts (if applicable), returning systems to normal function quickly and reliably.

Description

This script checks whether the device is joined to a domain and then proceeds to enable local Windows user accounts. If it detects domain membership, it also re-enables any related Active Directory accounts, effectively rolling back the account restrictions imposed by a prior lock-down procedure. It streamlines the entire unlock process without the need for complex manual intervention.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7Level Library
8https://level.io/library/script-windows-unlock-device
9#>
10
11$script:errors = $false  # Script-scoped error tracking
12
13# Function to check if the device is domain-joined
14function Is-DomainJoined {
15    $domain = (Get-WmiObject Win32_ComputerSystem).PartOfDomain
16    return $domain
17}
18
19# Function to unlock all local accounts
20function Enable-LocalAccounts {
21    $localUsers = Get-LocalUser
22    foreach ($user in $localUsers) {
23        try {
24            Enable-LocalUser -Name $user.Name
25            Write-Host "Local account $($user.Name) has been unlocked."
26        } catch {
27            Write-Host "ALERT: Failed to unlock local account $($user.Name): ${_.Exception.Message}"
28            $script:errors = $true
29        }
30    }
31}
32
33# Function to unlock Active Directory accounts (only if domain-joined)
34function Enable-ADAccounts {
35    try {
36        $adUsers = Get-WmiObject Win32_ComputerSystem | Select-Object -ExpandProperty UserName
37        if ($adUsers -and $adUsers -match '\\') {
38            foreach ($adUser in $adUsers) {
39                try {
40                    # Extract just the username (DOMAIN\Username format)
41                    $adUserName = $adUser -split '\\' | Select-Object -Last 1
42                    Enable-ADAccount -Identity $adUserName -Confirm:$false
43                    Write-Host ("AD account " + $adUserName + " has been unlocked.")
44                } catch {
45                    Write-Host ("ALERT: Failed to unlock AD account " + $adUserName + ": " + $_.Exception.Message)
46                    $script:errors = $true
47                }
48            }
49        }
50    } catch {
51        Write-Host ("ALERT: Failed to retrieve AD users: " + $_.Exception.Message)
52        $script:errors = $true
53    }
54}
55
56# Execute actions
57Enable-LocalAccounts
58
59# If the system is domain-joined, unlock AD users
60if (Is-DomainJoined) {
61    Write-Host "Domain detected. Unlocking AD users..."
62    Enable-ADAccounts
63} else {
64    Write-Host "No domain detected. Skipping AD account unlock."
65}
66
67# Exit with error if any issues occurred
68if ($script:errors) {
69    Write-Host "ALERT: One or more accounts failed to unlock. Exiting with error."
70    exit 1
71} else {
72    Write-Host "All necessary accounts have been unlocked successfully."
73}
74

‍

Use Cases

• Reversing a security lockdown after an incident has been resolved
• Correcting unexpected or accidental user account lockouts
• Streamlining the process of restoring normal access during routine maintenance
• Re-enabling domain accounts on systems that were previously locked

Recommendations

• Test thoroughly in a non-production or test environment before deployment
• For on-demand unlocking, configure a script-based monitor in Level to trigger this script when needed
• If you want to run this script on a set schedule, build an automation in Level with a scheduled trigger to automate the unlock process
• Double-check which accounts should remain disabled before running this script to avoid unintentionally unlocking compromised accounts

FAQ

• Does this script require admin privileges?
  ‍Yes, enabling user accounts requires administrative permissions. Level automatically runs scripts with system or root-level permissions by default.

• What if the device is not domain-joined?
  ‍The script skips the Active Directory unlock portion and only enables local accounts.

• Will it unlock every local account, including default system accounts?
  ‍The script attempts to enable all local user accounts retrieved by Get-LocalUser. Make sure you manually disable any accounts that should remain locked.

• How do I confirm it worked?
  ‍Review the script logs in the Level console and verify that users can sign in to their accounts afterward.

• Can I control which specific users get unlocked?
  ‍Currently, the script is designed to re-enable all accounts. If selective unlocking is needed, modify the script to specify user accounts before execution.