2 Simple Ways to Find All Locked User Accounts in Active Directory

Today I’m going to show you 2 simple ways to find all locked user accounts in Active Directory. When you have a large Active Directory database with hundreds or thousands of users it can be a challenge hunting down locked accounts.

These methods can also be useful in auditing and monitoring Active Directory accounts.

Recommended Tool: SolarWinds Admin Bundle for Active Directory

3 Free tools, find inactive user or computer accounts  and quickly bulk import new user accounts.

Download your free copy of Admin Bundle for Active Directory

Do you have user accounts that repeatedly lockout? Need help tracking down the source of account lockouts? Then check out my guide to the Microsoft Account Lockout Tool. It has step by step instructions for tracking down the source of account lockouts.

Unlocking and resetting user accounts is one of the top requests helpdesk deal with daily. It’s common for helpdesk to open Active Directory Users and Computers, search for the locked account then go to the account tab to see if they are locked.

I’ll show you two methods that are 10X faster.

I have provided the steps in this article to my company’s helpdesk staff and they have been thrilled with how much faster it is to help the end users.

As a network and system administrator, I also use these methods to audit account usage. If I see an unusual number of users being locked out, then something suspicious may be going on.

Saved queries is a function in the Active Directory users and Computers MMC. It lets you create and save queries that can be used later.

1. Open Active Directory Users and Computers

2. Rick click “Saved Queries” then select “New” then “Query”

3. Name the Query

In this example I named it “All Locked out User Accounts”

4. Click “Define Query”

5. Select “Custom Search”

Click the “Advanced tab”

6.In the box copy and paste this query string below

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

Then click “OK”

You will now have a saved query that can be used over and over again.

That’s how you create a saved query to find locked accounts. This query will be saved and used repeatedly to find locked accounts.

Methods 2: PowerShell

Using PowerShell to find all the locked user accounts is a simple command.

1. Open PowerShell

2. From the PowerShell command line type the following command:

Search-ADAccount -LockedOut

You can see this returns the same users as my saved query.

Both methods are great for quickly finding all the locked accounts in Active Directory. Either method will make administration more efficient and may reveal some suspicious activity in AD.

If you found this to be helpful please share this post.

If you have comments or questions let me know I’ll be happy to answer them below.

See also:

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

6 Comments

  1. jjMustang on October 2, 2018 at 5:41 pm

    For the PowerShell command, users may need to type

    Import-Module ActiveDirectory

    before the search-adaccount command will work.

    • Robert Allen on January 5, 2019 at 9:51 pm

      If you have PowerShell V5 or later you shouldn’t need to use the import module command. When you run PowerShell it should load any modules that you have installed.

  2. Dewey on February 27, 2019 at 3:12 pm

    SO you have the locked out account, but the user already came to you advising you the same. I found this post searching to hoping to find the cause of the lockout. I’ve ran Lockoutstatus.exe from Microsoft and we already reset the user’s account (he will most likely be back tomorrow). I see nothing from the powershell results or the Microsoft result showing the root cause of the lockout(s). Microsoft gave me a list of our DCs which is nice but not useful in this case. Ideas?

  3. Joey on March 6, 2019 at 1:04 am

    Is there a way to get rid of the disabled users in the search?

    • Robert Allen on March 15, 2019 at 8:33 pm

      Joey, yes you can filter and just show locked users for enabled users. This should do it.

      Search-ADAccount -lockedout | where-object {$_.enabled -eq 'True'}

Leave a Comment