Citrix Virtual Apps and Desktops SDK


Unlocks AD accounts within the AD Identity Service.


Unlock-AcctADAccount -ADAccountName <String> [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

Unlock-AcctADAccount -ADAccountSid <String> [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

Detailed Description

Provides the ability to unlock the AD Identity Service identity item that references a specified AD account. An AD account is marked as locked in the AD Identity Service while the Machine Creation Services (MCS) are processing tasks relating to the account. If these tasks are forcibly stopped, an account can remain locked despite no longer being processed. This command resolves this issue, but use it with caution because unlocking an account that MCS expects to be locked can result in an MCS operation being cancelled. Use this command only when MCS has locked an account for use in a provisioning operation, and where this operation has failed without unlocking the account.

Note: This command does NOT make any changes to the account information stored in Active Directory.


Name Description Required? Pipeline Input Default Value
ADAccountName The AD account name to be unlocked. AD account name is accepted in the following formats: Fully qualified DN e.g. CN=MyComputer,OU=Computers,DC=MyDomain,DC=Com; UPN format e.g MyComputer@MyDomain.Com; Domain qualified e.g MyDomain\MyComputer. true false  
ADAccountSid The AD account SID that represents the account to be unlocked. true true (ByPropertyName)  
LoggingId Specifies the identifier of the high-level operation this cmdlet call forms a part of. Citrix Studio and Director typically create high-level operations. PowerShell scripts can also wrap a series of cmdlet calls in a high-level operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets. false false  
BearerToken Specifies the bearer token assigned to the calling user false false  
TraceParent Specifies the trace parent assigned for internal diagnostic tracing use false false  
TraceState Specifies the trace state assigned for internal diagnostic tracing use false false  
VirtualSiteId Specifies the virtual site the PowerShell snap-in will connect to. false false  
AdminAddress Specifies the address of a XenDesktop controller that the PowerShell snap-in connects to. You can provide this as a host name or an IP address. false false LocalHost. Once a value is provided by any cmdlet, this value becomes the default.

Input Type


You Can Pipe An Object Containing A Parameter Called 'Adaccountsid' To Unlock-Acctadaccount.

Return Values


In the case of failure, the following errors can result.
Error Codes
The specified AD account could not be located in Active Directory.
The identity could not be found.
The identity is not locked.
The user does not have administrative rights to perform this operation.
The operation could not be performed because of a configuration logging error
An error occurred in the service while attempting a database operation.
The operation could not be completed because the database for the service is not configured.
An error occurred in the service while attempting a database operation - communication with the database failed for
for various reasons.
An error occurred while communicating with the service.
An unexpected error occurred. To locate more details, see the Windows event logs on the controller being used or examine the XenDesktop logs.


Example 1

c:\PS>Unlock-AcctADAccount -ADAccountName Domain\account


Unlocks the AD account called “Domain\account”.

Example 2

c:\PS>Get-AcctADAccount -Filter {lock -eq $true} | Unlock-AcctADAccount


Unlocks all the locked AD accounts.