Account lockouts are among the most frequent issues handled by IT administrators managing AD environments. A common method is to use the Search-ADAccount PowerShell cmdlet to quickly check if an AD account is locked or to find all locked-out users across the domain. While these scripts are powerful, generating detailed reports—especially for auditing—can be complex. For a more straightforward approach, you can use the AD account locked out users report available in ADManager Plus.
This article will walk you through the PowerShell scripts needed to find and manage locked out AD accounts and show you how ADManager Plus can accomplish the same tasks with just a few clicks.
The following table compares how you find locked out AD accounts using PowerShell vs. ADManager Plus.
To find locked out AD accounts using PowerShell, open Windows PowerShell as an administrator and execute the following script:
Search-ADAccount -LockedOut
To find locked out AD accounts using ADManager Plus:
Here are a few variations and practical scripts for managing locked-out accounts.
If you need to check if an AD account is locked using PowerShell, you can also use the Get-ADUser cmdlet and view its LockedOut property.
Get-ADUser -Identity "John" -Properties LockedOut | Select-Object Name, LockedOut
To narrow your search to a particular OU, you can combine Search-ADAccount with the -SearchBase parameter.
Search-ADAccount- LockedOut -SearchBase $targetOU | Select-Object name, sAMAccountName
Export the list of locked out users to a CSV file is a common requirement.
# Find all locked-out accounts
Search-ADAccount -LockedOut | `
# Retrieve additional properties for each locked account
Get-ADUser -Properties AccountLockoutTime, BadLogonCount, Department, EmailAddress | `
# Select the specific properties for the report
Select-Object Name, SamAccountName, EmailAddress, Department, AccountLockoutTime, BadLogonCount | `
# Export the results to a uniquely named CSV file
Export-Csv -Path "C:\Reports\LockedOutUsers_$(Get-Date -Format 'yyyyMMdd_HHmm').csv" -NoTypeInformation
To identify accounts that were locked within the last 24 hours:
Import-Module ActiveDirectory
$Yesterday = (Get-Date).AddDays(-1)
Search-ADAccount -LockedOut | Get-ADUser -Properties AccountLockoutTime |
Where-Object {$_.AccountLockoutTime -ge $Yesterday} |
Select-Object Name, SamAccountName, AccountLockoutTime
Solution: This error indicates the Active Directory Module is not loaded. Install the Remote Server Administration Tools (RSAT) and run Import-Module ActiveDirectory before executing your scripts.
Solution: Account lockouts may have already expired or you may be querying the wrong domain controller (DC). Try specifying a specific DC using the -Server parameter.
While PowerShell provides robust capabilities for finding locked accounts, it has several limitations for regular reporting and management tasks.
ADManager Plus is a comprehensive AD reporting solution that addresses PowerShell's limitations while offering additional capabilities.
Search-ADAccount is specifically designed for account status queries and is more efficient for finding locked accounts. Get-ADUser can also check lock out status using filters, but Search-ADAccount is the recommended approach for this specific task.
This often occurs because account lockouts have already expired based on your domain's lockout duration policy. You may need to check the AccountLockoutTime property to see when accounts were previously locked.
Yes, you can unlock user accounts in PowerShell using the Unlock-ADAccount cmdlet to unlock accounts. However, ADManager Plus helps you unlock user accounts in just a few clicks without any scripts.