Find AD User Account Lockout Events with PowerShell

A few weeks ago a user contacted me and stated they were constantly being locked out throughout the day. This could have been caused by a number of things from someone else trying to log in as them to being logged in somewhere else, changing their password and the session with the old password still being active. I ran a search of the security event log on the domain controllers and found the name of the machine that the user was being locked out from. The event ID for lockout events is 4740 for Vista / 2008 and higher and 644 for 2000 / XP / 2003. Here’s the PowerShell script I used to find the lockout events:

1$logName = 'security'
2$pcName = 'dc01', 'dc02', 'dc03'
3$eventID = '4740'
4Get-EventLog -LogName $logName -ComputerName $pcName |
5Where-Object {$_.eventID -eq $eventID} |
6Format-List -Property timegenerated, replacementstrings, message

Based on these results, the user is being locked out from a machine named "PC01":

lockout-1.png

The problem was that the user recently changed their password and had some out of date credentials saved in the Windows 7 Credential Manager:

lockout-2.png

This cmdlet will search Active Directory and list all of the accounts that are locked out:

1Search-ADAccount -LockedOut

Here's the results of that command:

lockout-3.png

You can use the following PowerShell command to unlock the Active Directory account:

1$name = 'mike'
2Unlock-ADAccount -Identity $name

µ