Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Active Directory

Search Active Directory for Locked-Out User Accounts with PowerShell

How do I search Active Directory for locked-out accounts using PowerShell?

Most organizations set Active Directory Account Lockout Policy to a maximum number of three to five logon attempts. Once the threshold has been exceeded, users either need to call the helpdesk to have their account unlocked, or wait 30 minutes for the account to be unlocked automatically. While it’s a necessary best practice to defend against brute force password attacks on Active Directory, account lockout policy sometimes leads users to accidentally lock themselves out, generating extra work for the help desk.

It can be useful to search Active Directory for locked-out accounts, maybe to investigate potential security issues or preempt a helpdesk call. The easiest way to run a search is from the command line using PowerShell.

Search Active Directory for Locked-Out Accounts

If you’ve never worked with PowerShell before, the Search cmdlet is a good place to begin. The cmdlet is quite simple and can be useful when you need to generate reports.

  • Logon to Windows Server 2012 with a user that has permission to enumerate Active Directory accounts.
  • Open PowerShell by clicking the blue PowerShell icon on the desktop Taskbar.
  • Type Search-ADAccount –LockedOut and press Enter.

Searching AD using PowerShell 3.0

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

If there are any locked-out accounts in your Active Directory domain, the results should now be listed in the PowerShell window.

Before you can run PowerShell Active Directory cmdlets on Windows Server 2008 (or R2), you have to import the Active Directory PowerShell module. To import the module, type Import-module ActiveDirectory and press Enter in the PowerShell window. The import process happens automatically in Windows Server 2012 when you run an Active Directory cmdlet.

Unlock Locked-Out Active Directory Accounts

You can also choose to automatically unlock any accounts that the Search cmdlet returns by piping the results from Search to the Unlock cmdlet as shown below.

  • Type Search-ADAccount –LockedOut in the PowerShell window to see if you have any locked-out accounts in your Active Directory domain. For the purposes of demonstrating the command below, you’ll need at least one locked-out account.
  • Type the following command: Search-ADAccount –LockedOut | Unlock-ADAccount
  • Now run Search-ADAccount –LockedOut without the Unlock cmdlet. The Search cmdlet should return no results.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Search Active Directory for Locked-Out User Accounts with PowerShell”

  1. Search AD for Locked Out User Accounts with Pow...

    [...] Finding locked user accounts in Active Directory can be a pain. Search for locked-out accounts using PowerShell in this quick 'n easy Ask an Admin.  [...]

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By