How to use PowerShell to get locked out Active Directory user accounts report
This article explains the steps to use PowerShell to find locked out Active Directory (AD) user accounts. It also explains how to get locked out AD users report using ADManager Plus, a unified AD, Office 365 and Exchange management and reporting too.
In PowerShell, the get-ADUser cmdlet has to be used to find locked out user accounts. By using appropriate filters, this command checks if an account is locked, and lists the locked out ones. ADManager Plus' predefined reports, on the other hand, offer a PowerShell script-free option to find account locked out users. With built-in reports and easy GUI-based actions, ADManager Plus is the easier and better option to get locked AD users over PowerShell.
Steps to obtain locked-out users report using PowerShell:
- Identify the domain from which you want to retrieve the report.
- Identify the LDAP attributes you need to fetch the report.
- Identify the primary DC to retrieve the report.
- Compile the script.
- Execute it in Windows PowerShell.
- The report will be exported in the given format.
- To obtain the report in a different format, modify the script accordingly to the needs of the user.
Sample Windows PowerShell script:
Click to copy entire script
Search-ADAccount –LockedOut |
Select-Object -Property Name,DistinguishedName |
-NoTypeInformation -Encoding UTF8
To obtain the report,
- Select Locked-out Users from the User Reports.
- Select Domain and OU. Click Generate.
- Select Export as to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).
» Start 30-day Free Trial
Limitations of using PowerShell to get locked out user accounts in AD
- You will not be able to use PowerShell to get locked user accounts if you do not have enough privileges in the AD domains from which you wish to generate this report. With ADManager Plus, as all permissions are granted to users via custom-roles, which apply only in the product, there is no need to elevate users' or technicians' privileges in native AD.
- To export locked out AD users report in a different format or to change the storage location, the PowerShell script has to be modified. ADManager Plus offers built-in Export as option which allows you to export the report to CSV, PDF, HTML, or CSV format with just mouse-clicks.
- To search the generated report for any specific record or data, the PowerShell script doesn't offer any option. It also doesn't offer any option to manage the user accounts from the report. ADManager Plus on the other hand offers a built-in search and on-the-fly management actions in all its reports to locate any user easily and move, enable/disable, delete, or reset the desired accounts or modify their attributes, right from the reports.
- You must know how to execute the scripts from the PowerShell window. As ADManager Plus is purely GUI-based, all management and reporting actions can be performed with just mouse clicks.
- Just a misplaced hyphen, or a misspelt LDAP attribute name could cause errors. As ADManager Plus is a purely GUI-based solution, it eliminates the need to create or execute complex scripts, closing the door on any chances of error.