In this post, we will look at the Microsoft account lockout tool and the lockout and management tool from the AD Pro Toolkit.
Both tools can be used to quickly get the lockout status of Active Directory user accounts. In addition, these tools are used to unlock accounts, reset passwords, and filter the logs for the lockout event ID.
Table of Contents
What is a Lockout Status Tool?
An AD lockout tool is used to check if an Active Directory user account is locked out or not. These tools are faster and easier to use than the provided built-in Microsoft Tools. These tools also include additional features such as password reset, unlocking accounts, and troubleshooting.
For example, the screenshot below is from the AD Pro Toolkit, with a single click it quickly displays all locked user accounts.
AD account lockouts are one of the top support calls helpdesk staff deal with on a day to day basis. The built-in Microsoft tools do not provide a quick and easy way to check the status of user accounts. When a user calls and says they are locked out, you need the right tools to quickly check the user status and resolve their issues.
Tools such as the Microsoft Account Lockout Status (LockoutStatus.exe) are often used in favor of the Built-in tools. Below are additional features of an AD lockout tool.
- Bad Password Count – Displays the pad password count for the user. Each time a user enters an incorrect password this will increase the counter.
- Lockout Time – Displays the date and time the account was locked out.
- Last Bad Pwd – The date and time of the last bad password for the account.
- Lockout DC or Orig Lock – Lockouts occur on specific domain controllers this will display which DC the lockout occurred on.
- All locked users – Displays all locked domain user accounts
- Source of the account lockout – Gets the event logs from the domain controller to help troubleshoot the source of an account lockout.
Now let’s dive in and see how to use these tools.
Microsoft Account Lockout Tool
Below I’ll walk you through the requirements and show you how to use the Microsoft Account Lockout Tool.
Step 1. Requirements
The following requirements must be set or the AD lockout tool will fail to run properly.
- An audit policy must be set on all computers and domain controllers, details are below. I recommend using group policy to manage the audit policy on all the computers.
- You need to have the account lockout policy configured so accounts will be locked out after so many failed logon attempts.
- You must have permission to view the security logs on the domain controllers and computers.
Step 2. Configure the Audit Policy with Group Policy
For the domain controllers, configure the audit policy settings in the Default Domain Controllers Policy.
For the computers, you can set this in the Default Domain Policy.
See my Group Policy Best Practices guide for tips on the default domain policy.
- In the Group policy management console expand computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- Enable Audit account logon events and audit logon events, enable both success and failure.
What is the difference between the two policy settings?
Audit account logon events: For domain accounts, this policy will capture logon/logoff events on the domain controller. So when you log into the domain the events will get logged on the domain controller.
Audit logon events: This policy will capture logon/logoff events at the workstation.
Step 3. Download and Install the Account Lockout Tool
The install just extracts the contents to a folder of your choice.
1. Download the Microsoft Account Lockout and Management Tools here
2. Accept the End User License
3. Type the location where you want the tools extracted and click “OK”.
Once the file is extracted you should have a list of files like below. The download contains several files and tools, for this article I’ll focus on the LockoutStatus tool.
Step 4. Open the Lockoutstatus.exe tool
1. Run the Lockoutstatus.exe tool.
2. Click on File > Select Target
3. In the target user name box enter the user’s login name (also called the SAMAccountName) for example I’ll enter robert.allen.
4. In the target domain enter your domain.
5. Click OK
You should now see the lockout status of the account you selected. In the screenshot below you can see the user state shows Locked, which means the account is locked out.
If the account is not locked the status will show “Not Locked”
To unlock or reset the account’s password, right click on the account and select the option. You can see the lockout status tool has many options but the first two options are the most common.
That is it for the Microsoft Account Lockout tool, as you can see it is pretty easy to use. Next, I’ll walk through how to use the AD Pro lockout tool.
AD Pro Toolkit Account Lockout Tool
The AD Pro Toolkit is a collection of Active Directory Management Tools. The lockout status tool makes it very easy to find all locked users, unlock, reset passwords, and troubleshoot locked out users.
To find all locked users open the password reset tool and click on “Check for Locked Users”
The tool will display the following details for any locked user.
- Lockout Time
- Password Last Set Date
To unlock the account right-click and select unlock.
To reset the account’s password select the user and select the reset options.
To troubleshoot an account click on “Lockout Troubleshooter” and click Run. This will show you where the lockout originated from. This comes in useful when you have accounts that keep locking out and you need to know what computer or device it is coming from.
The AD Pro lockout status tool is much easier to use than the Microsoft account lockout tool as it doesn’t require entering an account, you simply click the run button to find all locked users.
If your job consists of supporting user accounts then you need a tool that lets you quickly check the status of an account. As I mentioned in this article the built-in Microsoft tools are not the best option for this. The Microsoft account lockout tool and the AD Pro Toolkit Lockout Status are great alternatives to getting an account lockout status. They also provide additional features that simplify user account management.