Step 2: Prepare Active Directory
⏱️15 minutes
Configure your Active Directory to work with AD Unlock.
Overview
This step involves:
- Creating a service account
- Delegating proper permissions
- Verifying LDAPS is enabled
All scripts in this section are PowerShell and should be run on a Domain Controller or machine with RSAT tools installed.
Sub-Steps
Quick Reference
Service Account Requirements
| Setting | Value |
|---|---|
| Account Type | Domain User |
| Name | svc_adunlock (or your choice) |
| Password | Strong, non-expiring |
| Group Membership | Domain Users only (no admin rights) |
Required Permissions
On OUs where self-service is allowed:
| Permission | Purpose |
|---|---|
| Read | Find users |
| Reset Password | Reset unicodePwd |
| Write lockoutTime | Unlock accounts |
Network Ports
| Port | Protocol | Purpose |
|---|---|---|
| 636 | LDAPS | Encrypted LDAP (recommended) |
| 389 | LDAP + StartTLS | Alternative |
Next Step
Last updated on