Windows Administration

Identify Locked AD Users via PowerShell

DeanLeave a comment

If you manage your Active Directory using only the ADUC GUI, it’s not particularly easy to identify all locked user accounts at once. Whilst you can do this by using queries within ADUC, I find it much more convenient to use PowerShell. In this short guide I will show you how to identify locked AD users via PowerShell.

The PowerShell cmdlets used in this post are from the ActiveDirectory module. This should already be installed on your Domain Controller, but can also be installed locally as part of Remote Server Administration Tools (RSAT).

If you have dabbled with the ActiveDirectory module before, your first instinct might be to use the Get-ADUser cmdlet to return all users and then filter the output to show only those with a LockedOut property equal to true.

Output of trying to identify Locked AD Users via PowerShell using Get-ADUser

As shown in the screenshot above, this approach doesn’t work. It produces an error message directing you to the Search-ADAccount cmdlet instead.

Running the Search-ADAccount cmdlet with the -LockedOut flag will return a list of all accounts that are currently locked. You can then pipe the output to the select cmdlet (an alias for Select-Object) to only include useful information.

Identifying Locked AD Users via PowerShell using Search-ADAccount

As shown in the redacted screenshot above, you can output the user’s name, samAccountName and PasswordExpired properties to get a more easily manageable overview. The PasswordExpired property can be useful if you are troubleshooting account lockouts.

If at this point you want to unlock one or more of the accounts, PowerShell can come to the rescue again! There is an Unlock-ADUser command which, when given a username (or list of them), will unlock the account from the command line.

So, in summary, if you want a quick list of all the currently locked out AD users, run the following:

Search-ADAccount -LockedOut | select -Property name, samAccountName, PasswordExpired

If you found that user “dean” was locked out, you could unlock the account with the following command:

Unlock-ADAccount dean

Hopefully this guide offers a quick insight into the power of PowerShell. It’s an incredibly useful tool that all Windows admins can benefit from.

Leave a Reply

Your email address will not be published. Required fields are marked *