How to Find Locked Out Users in Active Directory with PowerShell

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

Active Directory is a Microsoft server that stores information about users, computers and other objects in an organization. This article will show you how to use PowerShell to find locked out users who are not able to log on due to expired passwords within Active Directory.

The “powershell lock out user account” is a PowerShell script that allows users to find locked out accounts in Active Directory.

How to Find Locked Out Users in Active Directory with PowerShell

Do your organization’s users ever forget their passwords? Certainly not! Has a user in Active Directory locked himself out? Certainly not! Let’s examine what we can do using PowerShell to locate locked out users in Active Directory!

 Check out Specops’ uReset tool if you’re an IT expert who’s having trouble with password reset and account lockout difficulties in Active Directory. 

Have you ever had malware invade your network that tries to log in with as many domain user identities as possible? I hope not, but it has happened to me before. One or more AD accounts may be shut out for a variety of reasons, including users and worms. Lockouts may occur often or perhaps sporadically, depending on your password policy.

Account lockouts effect your users regardless of the cause or circumstance. They’ll notice right away if their Active Directory domain account is shut out since they rely on it for practically everything. Your helpdesk can re-enable the account, but what if it occurs again? …and again, and again, and again. It’s critical to identify the problem’s fundamental cause.

Using PowerShell and the ActiveDirectory module is one option. You can simply search down all of the accounts that are presently locked out throughout your domain by using the Search-AdAccount cmdlet in the Active Directory module.

Related: Active Directory PowerShell Module Installation

Using PowerShell to locate locked out accounts in Active Directory

You may use the LockedOut argument in the Search-AdAccount command to find locked out accounts. If you have the right to view it, this will bring back all users who are now locked out.

-LockedOut Search-AdAccount

This command is fantastic, but what if you have an account that keeps being locked out and you need to find out where the problem is coming from? This is a regular chore when your network has been infected with malware or when a careless administrator has forgotten to log out of a remote desktop connection. Isn’t it something that never happens?

To determine the cause of an Active Directory lockout, make sure you’re asking the correct domain controller. This will be the domain controller with the PDC emulator role in this situation.

PDCe Role Holder may be found here.

Because this DC has the PDCe role, it is the ideal site to check for password authentication. Check the PDCEmulator attribute given by the Get-ADDomain cmdlet to discover the domain controller with the PDCe role.

= $pdce (Get-ADDomain). PDCEmulator

Looking for Lockouts in the Event Log

Once you have the DC with the PDCe role, look for event ID 4740 in the security event log (security logs) of this DC. When an account is locked out, the event ID 4740 is logged. Use the Get-WinEvent cmdlet to do this.

@’LogName’ =’Security’;’Id’ = 4740 Get-WinEvent -ComputerName $pdce -FilterHashTable @’LogName’ =’Security’;’Id’ = 4740

With PowerShell, you’re much closer to locating those locked off people in Active Directory!

Username and Location Analysis

This will return all lockout incidents, but it will not instantly display the users or machines that were locked out. To discover the username, you’ll need to dig a bit further into the Properties field returned by Get-WinEvent.

@’LogName’ = ‘Security’;’Id’ = 4740 $filter Get-WinEvent -ComputerName $events -FilterHashTable $pdce $filter $events | Select-Object @’Name’ =’UserName’; Expression=$ .Properties[0], @’Name’ =’ComputerName’;Expression=$ .Properties[1], @’Name’ =’ComputerName’;Expression=$ .Properties[0]

You can see how I relocated the hashtable filter to avoid code wrap and, more crucially, how I utilized Select-computed Object’s properties to get the login and machine name from the Properties field. The first member in the Properties array in each of these occurrences is always the locked-out username, while the second element is always the machine name where the lockout was executed.

Unlocking AD Accounts using PowerShell

How do you go about unlocking your locked out AD users now that you’ve located them? The Unlock-ADAccount cmdlet in PowerShell’s ActiveDirectory module makes getting a customer back to work a breeze. Use PowerShell to unlock AD accounts, as described below. Once loaded through the ActiveDirectory module, this command works in both Windows PowerShell and PowerShell 7.

-Identity ‘lockeduser’ -Unlock-ADAccount

Use the Search-ADAccount command with the -LockedOut argument to unlock all locked users at once, then feed the results to the Unlock-ADAccount command, as shown below.

-LockedOut Search-AdAccount | Unlock-ADAccount

Summary

You should now be able to easily identify all of the accounts in your domain that are presently locked out, as well as view a history of all account lockouts. Now is the moment to confront Joe about keeping those RDP sessions open…

The “check if ad account is locked command line” is a command-line tool that can be used to check if an account in Active Directory has been locked out by the administrator.

Related Tags

  • how to find locked out accounts in active directory
  • get-aduser locked out
  • check ad account status powershell
  • powershell lock ad account
  • powershell account lockout history