I am very new to Kace and trying to get my feet wet. Does anyone know if there is a way to create a script that is ticket generated to unlock user accounts in Active Directory? I want the end user to be able to go to the support desk portal, enter a ticket and unlock thier own AD accounts. Has this been done before or does anyone know how it could be done? Thanks
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Help Desk automation comes from custom ticket rules, and I don't know of any way to trigger something like this from a ticket rule. You could use the Software Library to allow end-users to run scripts, but the unlock and variable management (i.e. username variable assignment) would have to be done by your custom script (e.g. VBS, AutoIt, PowerShell, etc.). For example, you could setup a script with embedded credentials with the power to unlock accounts. The script would need to detect the logged on user on the machine running the script and then pass that to the command for unlock. However, the Software Library would only work if the user could log on to their machine. You could setup a script that could run from any machine and prompt the user for their account name, but then you run the risk of anybody being able to unlock anybody else's account.

This may seem like a simple problem, but the solution is anything but. Also, if you use LDAP authentication then the KBOX can do nothing for this, because if an account is locked out you can't authenticate to KBOX either.
Answered 06/22/2011 by: airwolf
Tenth Degree Black Belt

  • The command that could be run would be net user "username" /Domain /active:Yes This would make the AD account active again. I think the trick here is first to substitute "username" with the account name of the locked user and second create a ticket rule that another user could enter for the locked user that would trip the whole thing off.

    Say create a ticket rule that looks for Account locked in the title. You could then tell the users to put the username after. Have the ticket rule take the third word in the title and use it in the script.

    Unfortunately I don't know the product well enough to pull this off but I would use this in my environment if someone could find a way to stitch it together.
Please log in to comment