How to Find Locked Out Accounts in Active Directory in 3+ Ways

During the regular AD audit admins often get stuck on one problem. That is how to find locked out accounts in Active Directory environment. Knowing the time/count of users facing an entry denial can help the admin form a strategy for further investigation and redressal.

Table of Contents

• Find Locked Out Accounts in Active Directory with Cmd
• View Locked Users in AD with PowerShell
• Use ADUC to See Users with Inaccessible Accounts
• Deploy the Professional Alternative
• Steps to use the Automated Solution
• Do This After Getting Locked AD User Report
• Conclusion
• FAQs

Moreover, they might need to make a list for reporting purposes. However, getting that data is easier said than done, not to mention the extra time spent re-enabling the accounts. Not to worry, as in this write-up, we give clear-cut instructions on identifying all those who can’t access their AD account. Let’s start with the most straightforward method that involves the cmd interface.

Find Which User Account Keeps Getting Locked Out of Active Directory with Command Line Queries

Two of the native code formats are the command line and PowerShell, both of which are available at the admin level for checking user account access. Here is the command line query to check for locked accounts in AD.

net user /domain

This pulls out the list of all user accounts available on your domain.

Then one by one copy a user name and paste it in place of the variable part of the query given below and  check if ad account is locked or not

net user <UserName> | findstr /i /c:"Account active"

It can show one of three outputs:

• Yes
• No
• Locked

If it shows locked, then you have the right account.

An alternative way is to use the dsquery; the code for that is as follows:

dsquery * domainroot -filter "(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))" -limit 0 | dsget user -upn -samid -dn

This is going to provide admins with a list of all users with and without locked account status. You may change the scripts to add a particular time frame or only show all users.  As discussed previously, PowerShell can also be used in this scenario.

How to Find Locked Out Accounts in Active Directory with PowerShell

Use the following scripts. Beware, direct copy-pasting may not work as intended. If you have an AD module and RSAT, then jump directly to the PowerShell command (part 2). Otherwise, install and load it in the PowerShell module with the help of the commands below.

Part 1: Loading the PowerShell Module

Install-WindowsFeature RSAT-AD-PowerShell

Get-WindowsFeature -Name RSAT-AD-PowerShell

Part 2: Using the PowerShell Command

Search-ADAccount -LockedOut | FT Name, DistinguishedName, LockedOut

Despite the promise of fast results, admins rarely see this happening when they choose scripts. As admins have to spend time in understanding and changing them to better fit their requirements.

Most external scripts like this one only show raw results that can’t be used in a professional report. Moreover, using external scripts on the AD always has a question mark. So let’s see how a native solution allows admins to reduce some of these points.

Look and View Inacessible Accounts in Active Directory with ADUC

An easy scriptless way to check for locked users is available inside the Active Directory Users and Computer portal:

• In ADUC go to the Users Container.
• Select the User from whom you received the locked-out complaint.
• Open the Account Tab

There, you see the Unlock Account option. If there is additional text, “Unlock Account. This account is currently locked out on this Active Directory Domain Controller” It means that the user can’t access the AD.

You can also do the following:

Click Filter icon > Create custom filter > Customize > toggle Advance > Paste (&(objectClass=user)(lockoutTime>=1)) > OK > OK
This will make it easier for you to find locked users in the domain as every other object is hidden. You can export the results via the inbuilt button on the toolbar.

However, many users have complained that the LDAP filters give erroneous results. The “lockoutTime” flag resets to 0 only after a user successfully logs on. So admins might see expired lockouts under active status affecting the accuracy of detecting locked accounts.

Some other limitations of relying solely on ADUC are:

• Admins have to find their way through the often confusing and cumbersome ADUC interface. This takes up much time even for a trivial task like locked user identification.
• Another danger that inexperienced admins may face is that they can end up with unwarranted changes. These include the user expiring or disabling the user from the AD
• Moreover, if you do not have prior information on locked-out status, you may have to repeat the search for each and every user on the Active Directory.
• Not to mention that ADUC has no provision to perform a mass export of the data. Admins have to fill in the spreadsheet manually.

For these reasons, a better method is required. we are here to provide you with exactly that.

Automated Solution to Find Locked Out Accounts in Active Directory

SysTools Active Directory Reporting Software is the choice for all information gathering in any AD. Whether you want to find what OU a user is in or check the OU and sub-OU of computer objects, the tool can do it all. With its easy-to-use UI admins should have no problem in finding which user can’t get into their account.

Download Now Purchase Now

Moreover, the tool provides a separate column to track when exactly this problem began. See the results right within the preview window and export the report in CSV format. The duration picker in the tool allows admins to split the data into the timeframe they want. So now let’s understand the working of this tool in a step-by-step manner.

Instructions on Using the Tool to Find Inaccesible Accounts in AD

Step 1. Open the tool and load the home screen by using the default credentials that the tool fills on its own. You can change it later via that tool settings.

Step 2. Press the “REGISTER DOMAIN CONTROLLER” button, or click the small building icon on the top right corner.

Step 3. Type an appropriate Domain Friendly Name, and set the IP address of your AD. Press Save & Continue.

Step 4. In the Domain Details Page, put the Admin Email, and Password in their respective boxes and press Save and Continue. Then go to the Report tab.

Step 5. From the category menu Select Locked under the Users Workload.

Step 6. Choose a pre-defined duration from 5, 7, 10, 30, 90 days or 1 year. Otherwise, make a custom time range of your own.

Step 7. Click the Preview icon to see what the data is going to look like.

Step 8. Use the Download option and pick CSV to get the report. Save and View the data file.

What Admins Should Do When Locked Out AD Accounts Are Found?

As there can be an overlap between locked and disabled users, we recommend that admins export disabled users from Active Directory first. Moreover, user account lockups can bring productivity to a halt. So getting user access back should be the top priority.

Admins should start by checking the user login history in Active Directory setup. This will allow them to see when was the last time a user successfully entered the AD.

Then they must also tally the last password change in Active Directory with user entry issues. This can give them an insight into which password change caused this issue.

Multiple wrong password attempts are the primary reason for getting locked out. This happens when they do not receive the password update notification on time.

Conclusion

Admins now have more than enough knowledge on how to find locked-out accounts in Active Directory setup. The information here helps in the identification of accounts as well as the reasons behind entry denial issues in any AD. Although PowerShell, CMD, and other native Active Directory methods exist, none can compare with the speed and accuracy of the tool presented.

Frequently Asked Questions About the AD User Account Lockout Situation

Can I use the Get-ADUser command to see the locked accounts?
Yes, the following command shows the same result:

Get-ADUser -Filter * -Properties LockedOut | Where-Object {$_.LockedOut -eq $true} | ft DistinguishedName, Enabled, LockedOut, Name

Here we look directly into the user-level objects so it gives faster results. However, the speed improvement is marginal and admins will only notice it during a mass lockout event.

I have a complicated folder hierarchy for user accounts; checking each sub-folder individually is too time-consuming is there any option to reduce the search duration?
If you need to know the exact location of the locked account use Active Directory Adminstrative Center.
Open ADAC > Click on Global Filter > Toggle LDAP
Paste

(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

and Press OK.

You should see the results pop up in the bottom half of your screen.

You can apply the same LDAP query inside the custom filter settings of ADUC and hide all objects except the locked users.

Which Event ID indicates a user lockout from the AD?
The Event ID concerning user lockout is 4740. To view it,

Open the Event Viewer application on the workstation > Windows > Security.

Use the find option to search for the relevant Event ID. Here you can check out additional details such as the time at which the lockout occurred which is not possible with PowerShell or other native GUI mechanisms. However, the catch is that the result remains in a view-only state, and admins can only view one user at a time.

Why user accounts lock out of Active Directory?
The main reason behind every inaccessible account is the wrong password entry. This can have several subparts, like:

• Forgotten Password.
• Fail to Check Password Expiration Date in AD.
• Admin Changed Account Password.