Find Locked Accounts in Active Directory (2 Options)

In this guide, you will learn how to check if an AD account is locked out using PowerShell and the AD Pro Toolkit.

Unlocking and resetting user accounts is one of the top requests helpdesk deals with daily. It’s common for helpdesk to open Active Directory Users and Computers, search for the locked account then go to the account tab to see if they are locked. I’ll show you two methods that are much faster.

PowerShell Get Locked Accounts

In this example, I’ll use the search-ADAccount command to find locked accounts in Active Directory.

  1. Open PowerShell:

    Copy and paste the command below:

    Search-ADAccount -LockedOut
  2. Review Locked Accounts:

    If any accounts are locked they will be displayed in the console.

  3. Export Locked Users:

    To export all locked accounts use this command.

    Search-ADAccount -LockedOut  | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV “c:\temp\locked-users.csv” 

Option#2 AD Pro Toolkit

In this example, I’ll use the AD Password Reset Tool that is included with the AD Pro Toolkit. This tool can easily display all locked users and reset user accounts.

Step 1. Open the Password & Unlock Tool

Click the “Check for Locked Users” button.

Step 2. To unlock an account right-click and select unlock.

Step 3. Password Reset

To reset the account, enter the username and select the reset options.

How to Check if an Account is Locked using ADUC

To check if an account is locked out using ADUC follow these steps:

  1. Open ADUC
  2. Open the user account you want to check
  3. Click the Account tab
  4. Check for the status “Unlock account. This account is currently locked out on this Active Directory Domain Controller”.

You can also use PowerShell to check the lockedout status of an account.

If the account is locked it will display “True” for the lockedout attribute.

get-aduser -identity alvin.andes -properties * | select name,lockedout

Another option is to use the Locked Users report from the AD Pro Toolkit.

This report shows additional details such as lockoutTime and bad password time.

Find Where an Account is Being Locked Out From

The source of account lockouts is logged on the domain controllers, it can be difficult and time-consuming to search those logs. I added an option in the AD Pro Toolkit to quickly search the logs and display the ones related to bad authentication attempts and lockouts.

Select “Lockout Troubleshooter” and click Run.

This will display lockout event ID 4740 and 4771 for Kerberos authentication failures. You can see in the screenshot below the user “Cindy.Gunn” had locked the account from PC2.

This does require permission to the logs on your domain controllers. You can delegate these permissions to helpdesk staff by giving them even log reader rights, you also need to have auditing turned on.

You can download a free trial of the user unlock tool and try it in your domain.

If you need help with turning on the audit logs check out the administrator guide for the tool.

Summary

In this guide, I showed you two options on how to find locked user accounts in Active Directory. The PowerShell Search-ADAccount cmdlet is a very easy way to display all the locked users in your domain. If you want an alternative to PowerShell and something that has more options then check out the AD Pro Toolkit. The GUI toolkit is very user friendly and requires no PowerShell experience.

If you have comments or questions let me know I’ll be happy to answer them below.

Related: Find User accounts with passwords set to never expire

14 thoughts on “Find Locked Accounts in Active Directory (2 Options)”

  1. Hi Robert,

    Looking at the script above (AD locked user) I want the result to show me only the NON DISABLED accounts for which (Search-ADAccount -lockedout | where-object {$_.enabled -eq ‘True’}) works but I also want to sort the result by date – i.e Last Log On Date.

    Much appreciated

    Reply
  2. Seems the AD Query method can also show accounts that aren’t actually locked.
    I suspect it’s when an account is locked out, and it then unlocks itself due to the lockout period policy being reached.
    It seems the lockouttime flag is still greater than one in this instance, despite the user account not being locked.

    You can clear and remove these from the query view by ticking the “Unlock Account” option in the user properties, even though the account isn’t locked. This seems to then put that flag back to 0.

    Reply
    • Hi Carl,

      I’m also experiencing some inaccurate results with the LDAP query. I would stick to using PowerShell for this, it seems more accurate and is easier to use in my opinion.

      Reply
  3. I add that query to our AD, the it gives user list. Then I open a user account in ALL Locked User Accounts folder but they did not show that user is locked.

    Reply
    • Joey, yes you can filter and just show locked users for enabled users. This should do it.

      Search-ADAccount -lockedout | where-object {$_.enabled -eq 'True'}

      Reply
  4. SO you have the locked out account, but the user already came to you advising you the same. I found this post searching to hoping to find the cause of the lockout. I’ve ran Lockoutstatus.exe from Microsoft and we already reset the user’s account (he will most likely be back tomorrow). I see nothing from the powershell results or the Microsoft result showing the root cause of the lockout(s). Microsoft gave me a list of our DCs which is nice but not useful in this case. Ideas?

    Reply
  5. For the PowerShell command, users may need to type

    Import-Module ActiveDirectory

    before the search-adaccount command will work.

    Reply
    • If you have PowerShell V5 or later you shouldn’t need to use the import module command. When you run PowerShell it should load any modules that you have installed.

      Reply

Leave a Comment