Use PowerShell to Find Locked-Out User Accounts

Use PowerShell to Find Locked-Out User Accounts

  • Comments 19
  • Likes

Summary: Use a one-line Windows PowerShell command to find and unlock user accounts.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! I am trying to find users who are locked out. For example, I have a number of users who log on only occasionally. They constantly lock themselves out. I have seen some VBScripts to search for locked out user accounts, and even a Windows PowerShell script to accomplish the same thing, but I am wondering if there is an easier way to accomplish this task. Help, please!

—CJ

 

Hey, Scripting Guy! AnswerHello CJ,

Microsoft Scripting Guy Ed Wilson here. One problem with going on vacation is that the vacation eventually ends. I keep thinking that if we could sell our house in Charlotte, North Carolina, I might like to move to Hawaii to live. Right now, though, very few houses are actually selling in Charlotte, so there is little hope of making that move. One cool thing about living in Hawaii is that it is a couple of hours later than Redmond, Washington (Redmond is -8 GMT and Hawaii is -10 GMT). (This means that the next time someone schedules a meeting for 4:00 P.M. on a Friday, it would be 2:00 P.M. for me instead of the normal 7:00 P.M. meetings I get these days.)

CJ, I know exactly your predicament. You have users hiding in Active Directory Domain Services (AD DS) who are only occasional users. AD DS is essentially a database, and the old adage certainly applies: garbage in, garbage out. If a user cannot remember their password, the usefulness of network security diminishes rapidly. In addition, with the integration of directory services with messaging platforms, forgotten passwords can cause problems. However, when one has hundreds or thousands—or even hundreds of thousands of users—in Active Directory, finding a locked-out user can be as big of a challenge as finding the frogfish in the picture I took during my last scuba diving trip to Kauai.

Photo Ed took of a frogfish

Note   This is the third in a series of three posts about working with the ActiveDirectory module. In the first post, I discussed the RSAT tools and the Get-ADUser cmdlet. In the second post, I talked about installing the Active Directory management web service. For additional Active Directory and Windows PowerShell posts, refer to this collection on the Hey, Scripting Guy! Blog.

When using the Microsoft Active Directory cmdlets, locating locked-out users is a snap. In fact, the Search-ADAccount cmdlet even has a lockedout switch.

The first thing to do is to import the ActiveDirectory module by using the Import-Module cmdlet. This command is shown here:

Import-Module activedirectory

Once the module is imported, use the Search-ADAccount cmdlet with the lockedout parameter. This command is shown here:

Search-ADAccount –LockedOut

Note   Many network administrators who spend the majority of their time working with AD DS import the ActiveDirectory module via their Windows PowerShell profile. In this way, they never need to worry about first importing the module. I have an entire series of posts about working with profiles that discusses how to create a profile, and what sort of things to add to it.

The Search-ADAccount command and the associated output are shown in the following figure.

Image of Search-ADAccount and associated output

I can unlock the locked-out user account as well, assuming I have permission. In the following figure, I attempt to unlock the user account with an account that is a normal user. And an error arises.

Note   People are often worried about Windows PowerShell from a security perspective. Windows PowerShell is only an application, and a user is not able to do anything that they do not have rights or permission to accomplish. This is a case in point.

Image of error

Because the myuser account does not have administrator rights, I need to start Windows PowerShell with an account that has the ability to unlock a user account. To do this, I right-click the Windows PowerShell icon while pressing Shift. This allows me to click Run as different user in the shortcut menu. This produces the dialog box shown in the following figure.

Image of Run as different user dialog box

After I start Windows PowerShell again with an account that has rights to unlock users, I need to import the ActiveDirectory module once again. I then check to ensure that I can still locate the locked-out user accounts. After I have proven to myself I can do that, I pipe the results of the Search-ADAccount cmdlet to Unlock-ADAccount. A quick check ensures I have unlocked all the locked-out accounts. The series of commands is shown here:

import-module ActiveDirectory

Search-ADAccount –LockedOut

Search-ADAccount -LockedOut | Unlock-ADAccount

Search-ADAccount –LockedOut

 

The commands and associated output are shown in the following figure.

Image of commands and associated output

Note   Keep in mind that the command Search-ADAccount -LockedOut | Unlock-ADAccount will unlock every account that you have permission to unlock. In most cases, you will want to investigate before unlocking all locked-out accounts. If you do not want to unlock all locked-out accounts, use the confirm switch to be prompted before unlocking an account.

If I do not want to unlock all users, I user the confirm parameter from the Unlock-ADAccount cmdlet. As an example, I first check to see which users are locked out by using the Search-ADAccount cmdlet, but I do not want to see everything, only their names. Next, I pipe the locked-out users to the Unlock-ADAccount cmdlet with the confirm parameter. I am then prompted for each of the three locked-out users. I choose to unlock the first and third users, but not the second user. I then use the Search-ADAccount cmdlet one last time to ensure that the second user is still locked out. The following figure illustrates this technique.

Image of technique illustrated

CJ, that is all there is to finding and unlocking users in Active Directory by using the Microsoft ActiveDirectory module. I invite you back tomorrow when I will make a historic announcement. It is good, so check back. You will be glad you did.

 

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Images help a lot. Thanks Ed!

  • Hi Ed,

    this is additional feed for our admins and servicedesk users!

    Maybe ... once upon a time ... they will throw away their GUI tools ...

    Klaus.

  • Helped me out the other day, when Cmdlet made the mistake of locking himself out in the BATCHcave :)

  • Instead of starting a powershell instance using "Run as a different user" I would suggest to use the -Credential parameter of Unlock-ADAccount:

    Unlock-ADAccount -Credential (Get-Credential myAdminUser)

  • I would suggest to use PSDrives here, to have different credentials/ domains connected. Simple exampe:

    PS AD:\> $Options = @{

    >> PSProvider = 'ActiveDirectory'

    >> Name = 'NWT'

    >> Root = 'nwtraders.msft'

    >> FormatType = 'canonical'

    >> Server = '192.168.0.1'

    >> Credential = (Get-Credential nwtraders\bielawb)

    >> }

    >>

    New-PsDrive @Options

    PS AD:\> Get-ADDomain | select -ExpandProperty name

    eu

    PS AD:\> cd nwt:

    PS NWT:\> Get-ADDomain | select -ExpandProperty name

    nwtraders

    Once I CD to different folder - I'm connected to different domain, or the same domain, but with a different set of credentials. All command from module will follow.

    HTH! :)

  • I want to learn PS but every time I enter a command, I get an error. Ex:

    PS C:\Users\Administrator> Import-Module activedirectory

    The term 'Import-Module' is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try again.

    At line:1 char:14

    + Import-Module  <<<< activedirectory

    I have spent hours trying to understand how to add the necessary pieces to make this work but I have come up short. I am running this on Server2008 R2. Can anyone show me the light and give me a generous push in the right direction. I would be so appreciative to be able to start using the PS tools.

  • @Ed Price, you are welcome.

    @Klaus Schulte, one can only hope.

    @BATCHman, I am glad you found it useful.

    @Jens, that is, of course, an option. Here, I wanted to stay with the same tool I had been using, and to show there is always the possibility of using RUNAs.

    @Bartek, that is a great suggestion, and one I had not thought of using.

  • @PsGuruNot, I am sorry you have been having problems. Please refer to the TWO articles that I mention at the very beginning of this article. This article is actually the third in a series. I am copying the NOTE: from the beginning of the article. Unfortunately, the hyperlinks will be removed.

    Note   This is the third in a series of three posts about working with the ActiveDirectory module. In the first post, I discussed the RSAT tools and the Get-ADUser cmdlet. In the second post, I talked about installing the Active Directory management web service.

  • Hello all,

    This cmdlet does not work in our domain. I have a 2008 R2 AD, 3 DC's, single domain, all GC's.

    I do start PowerShell with AD (Run as Admin, elevated) and run Search-ADAccount locally on DC.

    LockedOut. Cmdlet runs but does not give any output, just a blank line.

    LockoutStatus.exe and Saved Query in ADUC finds all three locked out users in the domain from same DC.

    ADUC saved query:  (&(&(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))))

    Also, I tried to manually start powershell and import ad module. Same.

    Any thoughts?

    Thanks.

  • I'm also not getting any output with search-adaccount -lockedout

    Unless I add -server <domain controller>

    then I get one user listed but I'm pretty sure there are others locked out too.

    This is from within the powershell 3.0 ISE.

    Also, get-aduser -identity <username> doesn;t tell you if the account is locked out or not, which is less than helpful in this situation. I assume there is a way to check if a specific user is locked out?

  • OK, seems as though just adding -server <domain controller> does work, and I do only have one locked account - the one I was expecting to see had just unlocked itself!

    Would still be nice to be able to check a specific user easily though.

  • Ed,

    The most useful part of the old EventCombMT tools for me was finding the offensive system where the user account was locked. Frequently users "forget" that they are still logged on and disconnected from a remote system, and a recent password change causes accounts to lock due to Kerb Pre-Auth failures. Is there a new tool, or some scripts that will serve a similar purpose as EventComb did? It gets rough (looking through logs) with tens of thousands of users, and hundreds of DCs.

  • Many thanks...Can't do this kind of magic with GUI...PS rocks!

  • Hi. My challange is that I have several domains where I need to check if user is locked out. Is it possible to create a script where i type in SamAccountName and then the scripts checks if user is locked out or disabled in domain A, B, C, D etc. and with a check-box to enable/unlock account? Regards Carsten

  • i removed account lockout policy from AD but some users were still getting locked out..........removed domain control and domain policy and also removed from users' computers local policy. out of hell now.