PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

I recently received a request to determine why a specific user account was constantly being locked out after changing their Active Directory password and while I’ve previously written scripts to accomplish this same type of task, I decided to write an updated script.

Active Directory user account lockouts are replicated to the PDC emulator in the domain through emergency replication and while I could have used the Get-ADDomain cmdlet to easily determine the PDC emulator for the domain:


That would have had a dependency of requiring the RSAT tools to be installed on the workstation this script was being run from so I decided to use the .NET framework to accomplish that particular task to eliminate the Active Directory module dependency:


If you’re interested in using the .NET framework to determine the Active Directory FSMO role holders with PowerShell, I wrote a blog article titled “PowerShell Function to Determine the Active Directory FSMO Role Holders via the .NET Framework” that covers that subject in more detail.

This “Get-LockedOutUser.ps1” script allows you to specify the following via parameter input to narrow down the results:

  • Specific userid, defaulting to all locked out userid’s
  • Start time to begin searching records for, defaulting to the last three days
  • Domain name to search for lockouts in, defaulting to the user’s domain who is running the script

The script prompts for alternate credentials because in my opinion, you shouldn’t be running your PowerShell session with elevated credentials:


As you can see, jimmy0 is being locked out by a device named PC01:


The StartTime parameter can be used to specify more or fewer days if the default of three days doesn’t meet your needs as shown in the following example where one day is used:


The script shown in this blog can also be downloaded from the TechNet script repository.


About Mike F Robbins

PowerShell Enthusiast | IT Pro | Winner of the Advanced Category in the 2013 PowerShell Scripting Games | Author of Chapter 6 in the PowerShell Deep Dives Book.
This entry was posted in Active Directory, PowerShell and tagged , . Bookmark the permalink.

13 Responses to PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

  1. Pingback: Episode 251 – PowerScripting Podcast – Josh Swenson talks about using PowerShell | PowerShell.org

  2. Really nice script and good description too. However, I’m getting an error when running it: “A null value was encountered in the StartTime hash table key. Null values are not permitted”.
    Do you know what might be wrong? Thanks

  3. Lyndon says:

    I have the same issue? Hope its something simple, as this tool will be fantastic for me.

    • Lyndon says:

      This is the entire error I get.

      A null value was encountered in the StartTime hash table key. Null values are not permitted.
      + CategoryInfo : InvalidArgument: (StartTime:String) [Get-WinEvent], Exception
      + FullyQualifiedErrorId : NullNotAllowedInHashtable,Microsoft.PowerShell.Commands.GetWinEventCommand

      • Sahay says:

        When the user checking mails on Iphone, it prompts enter password, if she is in office, both Iphone and her computer works fine, whe she goes out of the office, On Iphone, it prompts to enter the password many times.. she typed many times, the account is locked.

        Please advise how to solve this issue(earlier she used iphone 5, now it is iphone 6 plus)

  4. Werner says:

    Works for me. Quite nifty! Thanks!

  5. Luke says:


    Thank you for posting this.
    In my case i always get “NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand”
    I know for a fact there are locked accounts in ad. I tried to change number of days to 90, 180 and last to 500 days and still same result.
    Any idea why i’m getting this?

    Thank You


  6. Thomas Neat says:

    I’m also getting the null value was encountered in StartTime has table key. Was there a fix for this?

  7. Can you confirm that you’re using PowerShell version 3? When using the function shown in this blog article, that error is generally caused because of it being run on a system with PowerShell version 2. The “Using” variable scope modifier that is used in the function was first introduced in PowerShell version 3.

    • Mukul says:

      Hello Mike,

      I have verified the version and build of Powershell and it is version 3. The issue is even after changing the starttime in the script, it still gives results for last 3 days only and no other errors. Can you please advise us further as this is an awesome utility and a lot of people can benefit from this. Thanks!

  8. Clint says:

    Any help with the following error would be appreciated! Running on Windows 8.1 update 1.

    PS C:\users\myuser\desktop> .\Get-LockedOutUser.ps1 -userName ‘MyUsername’

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    [MAINDC.MYDOMAIN.ORG] Connecting to remote server
    MAINDC.MYDOMAIN.ORG failed with the following error message : The client
    cannot connect to the destination specified in the request. Verify that the
    service on the destination is running and is accepting requests. Consult the
    logs and documentation for the WS-Management service running on the
    destination, most commonly IIS or WinRM. If the destination is the WinRM
    service, run the following command on the destination to analyze and configure
    the WinRM service: “winrm quickconfig”. For more information, see the
    about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (MAINDC.MYDOMAIN.TMH.ORG:String) [],
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

  9. Jocke says:

    Thanks for this! Works like a charm

  10. Brooks says:

    @Clint – is listener installed and running on the PDC emulator?

Leave a Reply