News We Recently Launched AD Migrator and AD Reporter.

How to Find Locked Out Accounts in Active Directory in 3+ Ways

  author
Written By Mohit Jha
Anuraag Singh
Approved By Anuraag Singh  
Published On September 17th, 2024
Reading Time 9 Minutes Reading

During the regular AD audit admins often get stuck on one problem. That is how to find locked out accounts in Active Directory environment. Knowing the time/count of users facing an entry denial can help the admin form a strategy for further investigation and redressal.

Table of Contents

Moreover, they might need to make a list for reporting purposes. However, getting that data is easier said than done, not to mention the extra time spent re-enabling the accounts. Not to worry, as in this write-up, we give clear-cut instructions on identifying all those who can’t access their AD account. Let’s start with the most straightforward method that involves the cmd interface.

Find Which User Account Keeps Getting Locked Out of Active Directory with Command Line Queries

Two of the native code formats are the command line and PowerShell, both of which are available at the admin level for checking user account access. Here is the command line query to check for locked accounts in AD.

net user /domain

This pulls out the list of all user accounts available on your domain.

Then one by one copy a user name and paste it in place of the variable part of the query given below and  check if ad account is locked or not

net user <UserName> | findstr /i /c:"Account active"

check account lockout status using command line
It can show one of three outputs:

  • Yes
  • No
  • Locked

If it shows locked, then you have the right account.

An alternative way is to use the dsquery; the code for that is as follows:

dsquery * domainroot -filter "(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))" -limit 0 | dsget user -upn -samid -dn

Dsquery Command to see which Active Directory user accounts are locked out

This is going to provide admins with a list of all users with and without locked account status. You may change the scripts to add a particular time frame or only show all users.  As discussed previously, PowerShell can also be used in this scenario.

How to Find Locked Out Accounts in Active Directory with PowerShell

Use the following scripts. Beware, direct copy-pasting may not work as intended. If you have an AD module and RSAT, then jump directly to the PowerShell command (part 2). Otherwise, install and load it in the PowerShell module with the help of the commands below.

Part 1: Loading the PowerShell Module

Install-WindowsFeature RSAT-AD-PowerShell

Get-WindowsFeature -Name RSAT-AD-PowerShell

Part 2: Using the PowerShell Command

Search-ADAccount -LockedOut | FT Name, DistinguishedName, LockedOut

PowerShell Output of AD account lockout status

Despite the promise of fast results, admins rarely see this happening when they choose scripts. As admins have to spend time in understanding and changing them to better fit their requirements.

Most external scripts like this one only show raw results that can’t be used in a professional report. Moreover, using external scripts on the AD always has a question mark. So let’s see how a native solution allows admins to reduce some of these points.

Look and View Inacessible Accounts in Active Directory with ADUC

An easy scriptless way to check for locked users is available inside the Active Directory Users and Computer portal:

  • In ADUC go to the Users Container.
  • Select the User from whom you received the locked-out complaint.
  • Open the Account Tab

Unlock the Locked User Status in ADUC

There, you see the Unlock Account option. If there is additional text, “Unlock Account. This account is currently locked out on this Active Directory Domain Controller” It means that the user can’t access the AD.

You can also do the following:

Click Filter icon > Create custom filter > Customize > toggle Advance > Paste (&(objectClass=user)(lockoutTime>=1)) > OK > OK
This will make it easier for you to find locked users in the domain as every other object is hidden. You can export the results via the inbuilt button on the toolbar.

However, many users have complained that the LDAP filters give erroneous results. The “lockoutTime” flag resets to 0 only after a user successfully logs on. So admins might see expired lockouts under active status affecting the accuracy of detecting locked accounts.

Some other limitations of relying solely on ADUC are:

  • Admins have to find their way through the often confusing and cumbersome ADUC interface. This takes up much time even for a trivial task like locked user identification.
  • Another danger that inexperienced admins may face is that they can end up with unwarranted changes. These include the user expiring or disabling the user from the AD
  • Moreover, if you do not have prior information on locked-out status, you may have to repeat the search for each and every user on the Active Directory.
  • Not to mention that ADUC has no provision to perform a mass export of the data. Admins have to fill in the spreadsheet manually.

For these reasons, a better method is required. we are here to provide you with exactly that.

Automated Solution to Find Locked Out Accounts in Active Directory

SysTools Active Directory Reporting Software is the choice for all information gathering in any AD. Whether you want to find what OU a user is in or check the OU and sub-OU of computer objects, the tool can do it all. With its easy-to-use UI admins should have no problem in finding which user can’t get into their account.

Download Now Purchase Now

Moreover, the tool provides a separate column to track when exactly this problem began. See the results right within the preview window and export the report in CSV format. The duration picker in the tool allows admins to split the data into the timeframe they want. So now let’s understand the working of this tool in a step-by-step manner.

Instructions on Using the Tool to Find Inaccesible Accounts in AD

Step 1. Open the tool and load the home screen by using the default credentials that the tool fills on its own. You can change it later via that tool settings.

Type administrator to start the tool for listing locked AD user accounts

Step 2. Press the “REGISTER DOMAIN CONTROLLER” button, or click the small building icon on the top right corner.

Register Domain Controller button to add the AD containing locked users

Step 3. Type an appropriate Domain Friendly Name, and set the IP address of your AD. Press Save & Continue.

Fill the AD details

Step 4. In the Domain Details Page, put the Admin Email, and Password in their respective boxes and press Save and Continue. Then go to the Report tab.

Validate AD admin Credentials

Step 5. From the category menu Select Locked under the Users Workload.

AD account lockout status Category Selection

Step 6. Choose a pre-defined duration from 5, 7, 10, 30, 90 days or 1 year. Otherwise, make a custom time range of your own.

apply any one of preset time intervals

Step 7. Click the Preview icon to see what the data is going to look like.

Download CSV containing AD account lockout status

Step 8. Use the Download option and pick CSV to get the report. Save and View the data file.

What Admins Should Do When Locked Out AD Accounts Are Found?

As there can be an overlap between locked and disabled users, we recommend that admins export disabled users from Active Directory first. Moreover, user account lockups can bring productivity to a halt. So getting user access back should be the top priority.

Admins should start by checking the user login history in Active Directory setup. This will allow them to see when was the last time a user successfully entered the AD.

Then they must also tally the last password change in Active Directory with user entry issues. This can give them an insight into which password change caused this issue.

Multiple wrong password attempts are the primary reason for getting locked out. This happens when they do not receive the password update notification on time.

Conclusion

Admins now have more than enough knowledge on how to find locked-out accounts in Active Directory setup. The information here helps in the identification of accounts as well as the reasons behind entry denial issues in any AD. Although PowerShell, CMD, and other native Active Directory methods exist, none can compare with the speed and accuracy of the tool presented.

Frequently Asked Questions About the AD User Account Lockout Situation

Can I use the Get-ADUser command to see the locked accounts?
Yes, the following command shows the same result:

Get-ADUser -Filter * -Properties LockedOut | Where-Object {$_.LockedOut -eq $true} | ft DistinguishedName, Enabled, LockedOut, Name

Here we look directly into the user-level objects so it gives faster results. However, the speed improvement is marginal and admins will only notice it during a mass lockout event.

I have a complicated folder hierarchy for user accounts; checking each sub-folder individually is too time-consuming is there any option to reduce the search duration?
If you need to know the exact location of the locked account use Active Directory Adminstrative Center.
Open ADAC > Click on Global Filter > Toggle LDAP
Paste

(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

and Press OK.

You should see the results pop up in the bottom half of your screen.

You can apply the same LDAP query inside the custom filter settings of ADUC and hide all objects except the locked users.
Check Locked User Accounts Via ADAC

Which Event ID indicates a user lockout from the AD?
The Event ID concerning user lockout is 4740. To view it,

Open the Event Viewer application on the workstation > Windows > Security.

Use the find option to search for the relevant Event ID. Here you can check out additional details such as the time at which the lockout occurred which is not possible with PowerShell or other native GUI mechanisms. However, the catch is that the result remains in a view-only state, and admins can only view one user at a time.

Event Viewer Data containing AD User Lockout information

Why user accounts lock out of Active Directory?
The main reason behind every inaccessible account is the wrong password entry. This can have several subparts, like:

  author

By Mohit Jha

Mohit is a Microsoft Certified expert known for his cloud migration, cyber security, and digital forensics expertise. He specializes in Microsoft 365, Exchange Server, and Azure AD migration, ensuring seamless transitions for organizations worldwide. His multifaceted role as a meticulous tech writer, diligent researcher, and astute editor underscores his commitment to delivering cutting-edge digital forensics and cloud migration strategies.