Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to get a list of locked-out user accounts in Active Directory

User accounts in Active Directory can get locked out either because a legitimate user locks themselves out, or because of a security issue. In either case, IT administrators need to search for locked-out accounts and take remedial action.

The following is a comparison between using Windows PowerShell and ADAudit Plus, to obtain the list of locked-out users in Active Directory:

PowerShell

Steps to obtain the list of locked out users:

  • Identify the domain from which you want to retrieve the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in Windows PowerShell
  • In case you want to export the report in a particular file format, you will need to customize the cmdlet as required.

Sample Windows PowerShell script

Search-ADAccount –LockedOut -UsersOnly 
 Copied

ADAudit Plus

To obtain the report,

  • Navigate to Reports -> User Management -> Account Lockout Analyzer
  • Select either the required 'Domain' or select 'All Domains'.
  • Use the 'Search' option to filter for specific user names, or domain controller, if required.
  • Obtain a list of all the account lockouts for a time period of your choice.
    Powershell-find-where-user-locked-out-1
  • Export the report in a format of your choice: CSV, PDF, XLS, or HTML.

The following are the limitations of using PowerShell to track the source of an account lockout:

  • We can run this script only from the computers which have Active Directory Domain Services role.
  • Difficult to change date formats.
  • Difficult to apply different time zones on the date results.
  • Need to write a different code each time you want a report in a different file format.
  • Applying filters, like 'During business hours', 'Period', and 'Export as' will increase the LDAP query complexity.

On the other hand, ADAudit Plus will automatically scan all DCs in the domain to retrieve the list of account lockouts.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By