Use PowerShell to Find Locked-Out User Accounts

re: Use PowerShell to Find Locked-Out User Accounts

Paul Parker — Thu, 27 Dec 2012 16:03:12 GMT

Ed,

The most useful part of the old EventCombMT tools for me was finding the offensive system where the user account was locked. Frequently users "forget" that they are still logged on and disconnected from a remote system, and a recent password change causes accounts to lock due to Kerb Pre-Auth failures. Is there a new tool, or some scripts that will serve a similar purpose as EventComb did? It gets rough (looking through logs) with tens of thousands of users, and hundreds of DCs.

re: Use PowerShell to Find Locked-Out User Accounts

robincm2 — Fri, 30 Nov 2012 14:14:34 GMT

OK, seems as though just adding -server <domain controller> does work, and I do only have one locked account - the one I was expecting to see had just unlocked itself!

Would still be nice to be able to check a specific user easily though.

re: Use PowerShell to Find Locked-Out User Accounts

robincm2 — Fri, 30 Nov 2012 13:58:05 GMT

I'm also not getting any output with search-adaccount -lockedout

Unless I add -server <domain controller>

then I get one user listed but I'm pretty sure there are others locked out too.

This is from within the powershell 3.0 ISE.

Also, get-aduser -identity <username> doesn;t tell you if the account is locked out or not, which is less than helpful in this situation. I assume there is a way to check if a specific user is locked out?

re: Use PowerShell to Find Locked-Out User Accounts

Lefty — Fri, 31 Aug 2012 09:00:07 GMT

Hello all,

This cmdlet does not work in our domain. I have a 2008 R2 AD, 3 DC's, single domain, all GC's.

I do start PowerShell with AD (Run as Admin, elevated) and run Search-ADAccount locally on DC.

LockedOut. Cmdlet runs but does not give any output, just a blank line.

LockoutStatus.exe and Saved Query in ADUC finds all three locked out users in the domain from same DC.

ADUC saved query: (&(&(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))))

Also, I tried to manually start powershell and import ad module. Same.

Any thoughts?

Thanks.

re: Use PowerShell to Find Locked-Out User Accounts

Ed Wilson — Fri, 02 Sep 2011 16:46:40 GMT

@PsGuruNot, I am sorry you have been having problems. Please refer to the TWO articles that I mention at the very beginning of this article. This article is actually the third in a series. I am copying the NOTE: from the beginning of the article. Unfortunately, the hyperlinks will be removed.

Note This is the third in a series of three posts about working with the ActiveDirectory module. In the first post, I discussed the RSAT tools and the Get-ADUser cmdlet. In the second post, I talked about installing the Active Directory management web service.

re: Use PowerShell to Find Locked-Out User Accounts

Ed Wilson — Fri, 02 Sep 2011 16:44:42 GMT

@Ed Price, you are welcome.

@Klaus Schulte, one can only hope.

@BATCHman, I am glad you found it useful.

@Jens, that is, of course, an option. Here, I wanted to stay with the same tool I had been using, and to show there is always the possibility of using RUNAs.

@Bartek, that is a great suggestion, and one I had not thought of using.

re: Use PowerShell to Find Locked-Out User Accounts

PSguruNot — Fri, 02 Sep 2011 14:30:25 GMT

I want to learn PS but every time I enter a command, I get an error. Ex:

PS C:\Users\Administrator> Import-Module activedirectory

The term 'Import-Module' is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try again.

At line:1 char:14

+ Import-Module <<<< activedirectory

I have spent hours trying to understand how to add the necessary pieces to make this work but I have come up short. I am running this on Server2008 R2. Can anyone show me the light and give me a generous push in the right direction. I would be so appreciative to be able to start using the PS tools.

re: Use PowerShell to Find Locked-Out User Accounts

Bartek Bielawski — Fri, 02 Sep 2011 09:59:32 GMT

I would suggest to use PSDrives here, to have different credentials/ domains connected. Simple exampe:

PS AD:\> $Options = @{

>> PSProvider = 'ActiveDirectory'

>> Name = 'NWT'

>> Root = 'nwtraders.msft'

>> FormatType = 'canonical'

>> Server = '192.168.0.1'

>> Credential = (Get-Credential nwtraders\bielawb)

>> }

New-PsDrive @Options

PS AD:\> Get-ADDomain | select -ExpandProperty name

PS AD:\> cd nwt:

PS NWT:\> Get-ADDomain | select -ExpandProperty name

nwtraders

Once I CD to different folder - I'm connected to different domain, or the same domain, but with a different set of credentials. All command from module will follow.

HTH! :)

re: Use PowerShell to Find Locked-Out User Accounts

Jens Gyldenkærne Clausen — Thu, 01 Sep 2011 13:41:43 GMT

Instead of starting a powershell instance using "Run as a different user" I would suggest to use the -Credential parameter of Unlock-ADAccount:

Unlock-ADAccount -Credential (Get-Credential myAdminUser)

re: Use PowerShell to Find Locked-Out User Accounts

BATCHman — Wed, 31 Aug 2011 18:09:15 GMT

Helped me out the other day, when Cmdlet made the mistake of locking himself out in the BATCHcave :)