Frustrated with PowerShell for Account Lockouts? Try ADAudit Plus®

Root cause analysis takes too long with PowerShell. ADAudit Plus shows who locked the account, when, where, and why—instantly.

Start free trial   Book demo  

*Fully functional 30-day free trial. No credit card required

Worlds leading and largest enterprises trust ManageEngine

Including 9 out of every 10 Fortune 100 companies

 

How to find out the source of an account lockout using
PowerShell and ADAudit Plus

One of the biggest challenges for IT admins is finding account lockout sources. While PowerShell
can help, it’s complex. ADAudit Plus offers a simpler, comprehensive solution.

PowerShell

Steps to get AD user locked out history using PowerShell:

  • Identify the domain from which you want to retrieve the report.
  • Identify the LDAP attributes you need to fetch the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in Windows PowerShell.
  • The report will be exported in the given format.
  • To obtain the report in a different format, modify the script accordingly to the needs of the user.

Sample Windows PowerShell script

#requires -Module ActiveDirectory
                            #Import-Module ActiveDirectory -EA Stop
                            Function Get-AccountLockoutStatus {
                                [CmdletBinding()]
                                param(
                                    [Parameter(
                                    ValueFromPipeline=$true,
                                    ValueFromPipelineByPropertyName=$true,
                                    Position=0)]
                                    [string[]]
                                    $ComputerName = (Get-ADDomainController -Filter * |  select -ExpandProperty Name),
                                    [Parameter()]
                                    [string]
                                    $Username,
                                    [Parameter()]
                                    [int]          
                                    $DaysFromToday = 3     
                                )
                                 BEGIN {
                                    $Object = @()
                                }
                                PROCESS {
                                    Foreach ($Computer in $ComputerName) {
                                        try {
                                            $EventID = Get-WinEvent -ComputerName $Computer -FilterHashtable @{Logname = 'Security'; ID = 4740; StartTime = (Get-Date).AddDays(-$DaysFromToday)} -EA 0
                                            Foreach ($Event in $EventID) {
                                                $Properties = @{Computername   = $Computer
                                                                Time           = $Event.TimeCreated
                                                                Username       = $Event.Properties.value[0]
                                                                CallerComputer = $Event.Properties.value[1]
                                                                }
                                                $Object += New-Object -TypeName PSObject -Property $Properties | Select ComputerName, Username, Time, CallerComputer
                                            }
                             
                                        } catch {
                                            $ErrorMessage = $Computer + " Error: " + $_.Exception.Message
                                                
                                        } finally {
                                            if ($Username) {
                                                    Write-Output $Object | Where-Object {$_.Username -eq $Username}
                                                } else {
                                                    Write-Output $Object
                                            }
                                            $Object = $null
                                        }
                                    }   
                                }     
                                END {}
                            }
 

To obtain the report,

  • Login to ADAudit Plus web console as an administrator.
  • Navigate to the Reports tab and from the User Management section in the left pane, select Account Lockout Analyzer report.
  • Select the domain and click Generate.
  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).
powershell-account-lockout

PowerShell Limitations vs ADAudit Plus Capabilities

Feature
PowerShell Scripts
Ease of use
Requires scripting expertise and manual execution
Intuitive GUI, ready-made reports
Real-time analysis
Manual execution or complex scheduling required
Instant alerts & reports
Detailed source
Often requires correlation of multiple event IDs
Specific workstation, application, or process
Historical data
Requires custom logging & storage, limited by script run
Long-term audit trails, easy searching
Alerting
Requires complex script integration with alert systems
Customizable email/SMS alerts for lockouts
Reporting
Manual data extraction, formatting, and reporting
Pre-built, customizable, exportable reports
Maintenance
 
Manual updates, troubleshooting, no vendor support
Automatic updates, support
×

To assist your evaluation we offer

  • 30-day fully functional free trial.
  • No user limits.
  • Free 24*5 tech support.
Start free trial   Product Demo  

Empowering IT with actionable audit intelligence.

Windows logon monitoring

Continuously track user logon activity, and audit everything from logon failures to logon history.

Privileged user monitoring

Audit privilege use to hold admins and other privileged users accountable for their actions.

File integrity monitoring

Track changes to the operating system, programs, and other local files residing on Windows systems, and ensure system integrity.

Threat detection and response

Detect AD attacks, identify risky Azure, AWS, and GCP configurations, get visibility into anomalous user behavior, and automate incident response.

Real-time change notification

Get instantly alerted on who performed what change, when, and from where in your Windows Server environment.

Compliance reporting

Audit privilege use to hold admins and other privileged users accountable for their actions.

File change monitoring

Audit file accesses, permission changes, and more across Windows and other NAS file servers.

Employee time tracking

Continuously monitor the active and idle time spent by employees at their Windows workstations.

Awards & recognitions

We strive for excellence to provide your organization with the best security. Our commitment to innovate constantly and ensure customer satisfaction has earned us some awards and recognitions. Here are a few of the accolades from 2023-2024.

  • Niche Player in the 2024 Gartner Magic Quadrant for Security Information and Event Management

  • Contender in Extended Detection and Response (XDR) in the ISG Provider Lens Cybersecurity - Solutions and Services, 2023

  • Challenger in KuppingerCole's Leadership Compass: Data Leakage Prevention, 2023

  • Challenger and Outperformer in the GigaOm Radar for Autonomous SOC, 2023

  • Customer's Choice in the Peer Insights 'Voice of the Customer': Security Information and Event Management, 2023

ADAudit Plus is licensed on a per-server basis and
is available in the following editions

Standard edition

Starts at $595 annually

Start free trial
  • All features of free edition +
  • Reports and alerts on event log
  • Domain Controllers
  • Azure AD Tenants
  • Windows servers
  • Workstations
  • Windows file servers
  • Windows file servers

Professional edition

Starts at $945 annually

Start free trial
  • All features of standard edition +
  • Account lockout analysis
  • AD permissions change auditing
  • GPO settings change tracking
  • DNS and AD schema change auditing
  • Old and new values of AD object attribute changes
  • Support for MS SQL database
  • And much more...

Thank you!

We have received your request for a price quote and will contact you shortly.

Get a personalized quote

that best suits your requirements

  •  
  •  
  • Add-ons
    ?

    Track File Servers for document changes to files (file creation / modification / deletion) and folders audit-access, shares and permissions

     
    NetApp (or) EMC (or) Synology (or) Hitachi (or) Huawei file systems
    ?

    Audit Windows Server

    1. Local Logon/Logoff
    2. File Integrity
    3. Printer
    4. RADIUS/NPS
    5. ADFS
    6. LAPS
    7. ADLDS
    ?

    Audit Workstations

    1. Local Logon/Logoff
    2. Employee work hours
    3. Local Account Management
    4. Startup/Shutdown
    5. File Integrity
    6. System events
    7. Removable Storage Auditing(USB)
  • By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

Still guessing what's locking out accounts? Get full visibility into AD lockout sources—no more scripts or guesswork.

Start free trial   Product Demo  

2025 Zoho Corporation Pvt. Ltd. All Rights Reserved.

 
 

Trusted by IT teams in 190+ countries worldwide

To assist your evaluation we offer:

  • 30-day fully functional free trial
  • Free 24*5 Technical Support
  • No credit card required
  • No user limits

Awards and Recognitions

award-logo

Thank you
for downloading!

Your download should begin automatically in 15 seconds. If not, click here to download manually.

Try ADAudit Plus For Free

  •  
  •  
  •  
  • By clicking 'Download now' you agree to processing of personal data according to the Privacy Policy.
 
 

Trusted by IT teams in 190+ countries worldwide

What’s next?

Schedule a
free personalized demo of

ADAudit Plus

Awards and Recognitions

award-logo

Thank you

We have received your request for a personalized demo. Our product specialist will get in touch with you shortly.

Schedule a free demo

  •  
  •  
  •  
  •  
  • By clicking 'Schedule a free demo' you agree to processing of personal data according to the Privacy Policy.
Request DemoGet Quote