2 Simple Ways to Find All Locked User Accounts in Active Directory

Today I’m going to show you 2 simple ways to find all locked user accounts in Active Directory. When you have a large Active Directory database with hundreds or thousands of users it can be a challenge hunting down locked accounts.

These methods can also be useful in auditing and monitoring Active Directory accounts.

Recommended Tool: SolarWinds Admin Bundle for Active Directory

3 Free tools, find inactive user or computer accounts  and quickly bulk import new user accounts.

Download your free copy of Admin Bundle for Active Directory

Do you have user accounts that repeatedly lockout? Need help tracking down the source of account lockouts? Then check out my guide to the Microsoft Account Lockout Tool. It has step by step instructions for tracking down the source of account lockouts.

Unlocking and resetting user accounts is one of the top requests helpdesk deal with daily. It’s common for helpdesk to open Active Directory Users and Computers, search for the locked account then go to the account tab to see if they are locked.

I’ll show you two methods that are 10X faster.

I have provided the steps in this article to my company’s helpdesk staff and they have been thrilled with how much faster it is to help the end users.

As a network and system administrator, I also use these methods to audit account usage. If I see an unusual number of users being locked out, then something suspicious may be going on.

Saved queries is a function in the Active Directory users and Computers MMC. It lets you create and save queries that can be used later.

1. Open Active Directory Users and Computers

2. Rick click “Saved Queries” then select “New” then “Query”

3. Name the Query

In this example I named it “All Locked out User Accounts”

4. Click “Define Query”

5. Select “Custom Search”

Click the “Advanced tab”

6.In the box copy and paste this query string below

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

Then click “OK”

You will now have a saved query that can be used over and over again.

That’s how you create a saved query to find locked accounts. This query will be saved and used repeatedly to find locked accounts.

Methods 2: PowerShell

Using PowerShell to find all the locked user accounts is a simple command.

1. Open PowerShell

2. From the PowerShell command line type the following command:

Search-ADAccount -LockedOut

You can see this returns the same users as my saved query.

Both methods are great for quickly finding all the locked accounts in Active Directory. Either method will make administration more efficient and may reveal some suspicious activity in AD.

If you found this to be helpful please share this post.

If you have comments or questions let me know I’ll be happy to answer them below.

See also:

14 Comments

  1. jjMustang on October 2, 2018 at 5:41 pm

    For the PowerShell command, users may need to type

    Import-Module ActiveDirectory

    before the search-adaccount command will work.

    • Robert Allen on January 5, 2019 at 9:51 pm

      If you have PowerShell V5 or later you shouldn’t need to use the import module command. When you run PowerShell it should load any modules that you have installed.

  2. kevin on February 26, 2019 at 3:30 pm

    What would be the command to omit disabled accounts, I tried to add (Enabled=1), didn’t like that very much.

  3. Dewey on February 27, 2019 at 3:12 pm

    SO you have the locked out account, but the user already came to you advising you the same. I found this post searching to hoping to find the cause of the lockout. I’ve ran Lockoutstatus.exe from Microsoft and we already reset the user’s account (he will most likely be back tomorrow). I see nothing from the powershell results or the Microsoft result showing the root cause of the lockout(s). Microsoft gave me a list of our DCs which is nice but not useful in this case. Ideas?

  4. Joey on March 6, 2019 at 1:04 am

    Is there a way to get rid of the disabled users in the search?

    • Robert Allen on March 15, 2019 at 8:33 pm

      Joey, yes you can filter and just show locked users for enabled users. This should do it.

      Search-ADAccount -lockedout | where-object {$_.enabled -eq 'True'}

  5. Riyajuddin on April 28, 2020 at 5:16 pm

    Sir new id user locked

  6. Isuru on May 25, 2020 at 6:12 am

    I add that query to our AD, the it gives user list. Then I open a user account in ALL Locked User Accounts folder but they did not show that user is locked.

    • Robert Allen on January 2, 2021 at 4:12 pm

      I have noticed the query is inaccurate on 2012 and newer domain controllers. I would use PowerShell instead.

  7. Gerard Vecchio on June 22, 2020 at 6:09 pm

    Is there a way to just search for one specific user?

  8. Carl on July 9, 2020 at 11:48 am

    Seems the AD Query method can also show accounts that aren’t actually locked.
    I suspect it’s when an account is locked out, and it then unlocks itself due to the lockout period policy being reached.
    It seems the lockouttime flag is still greater than one in this instance, despite the user account not being locked.

    You can clear and remove these from the query view by ticking the “Unlock Account” option in the user properties, even though the account isn’t locked. This seems to then put that flag back to 0.

    • Robert Allen on September 20, 2020 at 1:45 pm

      Hi Carl,

      I’m also experiencing some inaccurate results with the LDAP query. I would stick to using PowerShell for this, it seems more accurate and is easier to use in my opinion.

  9. Micky on October 24, 2020 at 4:04 am

    Hi Robert,

    Looking at the script above (AD locked user) I want the result to show me only the NON DISABLED accounts for which (Search-ADAccount -lockedout | where-object {$_.enabled -eq ‘True’}) works but I also want to sort the result by date – i.e Last Log On Date.

    Much appreciated

Leave a Comment