Find AD User Account Lockout Events with PowerShell

A few weeks ago a user contacted me and stated they were constantly being locked out throughout the day. This could have been caused by a number of things from someone else trying to log in as them to being logged in somewhere else, changing their password and the session with the old password still being active. I ran a search of the security event log on the domain controllers and found the name of the machine that the user was being locked out from. The event ID for lockout events is 4740 for Vista / 2008 and higher and 644 for 2000 / XP / 2003. Here’s the PowerShell script I used to find the lockout events:

Based on these results, the user is being locked out from a machine named “PC01”:

The problem was that the user recently changed their password and had some out of date credentials saved in the Windows 7 Credential Manager:

This cmdlet will search Active Directory and list all of the accounts that are locked out:

Here’s the results of that command:

You can use the following PowerShell command to unlock the Active Directory account:

µ

5 Comments

  1. Chris

    Any suggestions when you would have 200 domain controllers and about 30,000 users? We frequently have users that get randomly locked out and it is not always the closest DC to them because they RDP into other locations or use apps that are hosted somewhere else.

    Reply
    • remigioioscariglesias

      Hi Chris, on your environment you might need to get a third party tool, instead this powershell script. I saw that some people use NetIq, that needs to deploy agents on every DC that you have deploy on your environmnet, and get all the security events consolitaded into a central console, from where you can get all the information about user account lockouts. At the other hand, if you also have deployed SCOM on your environment you can use rules to catch up all your environment events, but let’s consider that surely are going to be a bunch of them and a bunch of alerts coming through email…… Hope it helps.

      Reply
  2. Matt

    This is super awesome! Thanks so much.

    Reply
  3. bandara

    how to run 1st script (lockout events) pls specify ..

    Reply
  4. HankC

    I believe all lockout events register on the PDC, yes? if so, parsing the PDC security log reveals the user detail…

    Reply

Leave a Reply

%d bloggers like this: