29 Comments


  1. Really nice script and good description too. However, I’m getting an error when running it: “A null value was encountered in the StartTime hash table key. Null values are not permitted”.
    Do you know what might be wrong? Thanks

    Reply
  2. Lyndon

    I have the same issue? Hope its something simple, as this tool will be fantastic for me.

    Reply
    • Lyndon

      This is the entire error I get.

      A null value was encountered in the StartTime hash table key. Null values are not permitted.
      + CategoryInfo : InvalidArgument: (StartTime:String) [Get-WinEvent], Exception
      + FullyQualifiedErrorId : NullNotAllowedInHashtable,Microsoft.PowerShell.Commands.GetWinEventCommand

      Reply
      • Sahay

        When the user checking mails on Iphone, it prompts enter password, if she is in office, both Iphone and her computer works fine, whe she goes out of the office, On Iphone, it prompts to enter the password many times.. she typed many times, the account is locked.

        Please advise how to solve this issue(earlier she used iphone 5, now it is iphone 6 plus)

        Reply
  3. Werner

    Works for me. Quite nifty! Thanks!

    Reply
  4. Luke

    Hello

    Thank you for posting this.
    In my case i always get “NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand”
    I know for a fact there are locked accounts in ad. I tried to change number of days to 90, 180 and last to 500 days and still same result.
    Any idea why i’m getting this?

    Thank You

    Luke

    Reply
  5. Thomas Neat

    I’m also getting the null value was encountered in StartTime has table key. Was there a fix for this?

    Reply

  6. Can you confirm that you’re using PowerShell version 3? When using the function shown in this blog article, that error is generally caused because of it being run on a system with PowerShell version 2. The “Using” variable scope modifier that is used in the function was first introduced in PowerShell version 3.

    Reply
    • Mukul

      Hello Mike,

      I have verified the version and build of Powershell and it is version 3. The issue is even after changing the starttime in the script, it still gives results for last 3 days only and no other errors. Can you please advise us further as this is an awesome utility and a lot of people can benefit from this. Thanks!

      Reply
  7. Clint

    Any help with the following error would be appreciated! Running on Windows 8.1 update 1.

    PS C:\users\myuser\desktop> .\Get-LockedOutUser.ps1 -userName ‘MyUsername’

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    [MAINDC.MYDOMAIN.ORG] Connecting to remote server
    MAINDC.MYDOMAIN.ORG failed with the following error message : The client
    cannot connect to the destination specified in the request. Verify that the
    service on the destination is running and is accepting requests. Consult the
    logs and documentation for the WS-Management service running on the
    destination, most commonly IIS or WinRM. If the destination is the WinRM
    service, run the following command on the destination to analyze and configure
    the WinRM service: “winrm quickconfig”. For more information, see the
    about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (MAINDC.MYDOMAIN.TMH.ORG:String) [],
    PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

    Reply

  8. Thanks for this! Works like a charm

    Reply
  9. Brooks

    @Clint – is listener installed and running on the PDC emulator?

    Reply
  10. Red Alegre

    I am getting the same error as Clint, I am running the command from AD Powershell on a Windows Server 2012 R2

    [DC01.domain.com] Connecting to remote server DC01.domain.com failed with
    the following error message : The client cannot connect to the destination
    specified in the request. Verify that the service on the destination is
    running and is accepting requests. Consult the logs and documentation for the
    WS-Management service running on the destination, most commonly IIS or WinRM.
    If the destination is the WinRM service, run the following command on the
    destination to analyze and configure the WinRM service: “winrm quickconfig”.
    For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (DC01.domain.com:String) [], PSRemot
    ingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken

    PS Z:\> $psversiontable

    Name Value
    —- —–
    PSVersion 4.0
    WSManStackVersion 3.0
    SerializationVersion 1.1.0.1
    CLRVersion 4.0.30319.34003
    BuildVersion 6.3.9600.16394
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
    PSRemotingProtocolVersion 2.2

    Reply

  11. What does it means if the ClientName field is empty? there are several account lockout events but no clientname is returned.

    PS C:\Users\SESA276115> .\Get-LockedOutUser.ps1 -UserName SESA269292

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential

    TimeCreated UserName ClientName
    ———– ——– ———-
    4/24/2015 5:07:05 PM SESA269292
    4/24/2015 4:54:37 PM SESA269292
    4/24/2015 4:45:58 PM SESA269292
    4/24/2015 4:44:20 PM SESA269292

    Reply
    • Chris

      Getting the same thing – no PC name returned

      Reply
    • gojensen

      me too… in my case it’s a Mac user that keeps getting locked out several times a day and we have no idea why…

      Reply

  12. I have always used this simple method that worked well for me:
    Look in Security Event logs
    account lockout filter for Event ID 4740
    shows Computer IP address that triggered the lockout, and the Doman Controller that locked out the account (when there is more than one DC)
    account unlocked filter for Event ID 4767
    shows who unlocked it and when.
    Hope this helps too!

    Reply
  13. DP

    all kinds of errors, was this written for 2008/2008R2? lots and lots of errors

    Reply

    • The machine it is run from has to have PowerShell version 3 (because of the “Using” scope modifier that is used). It does however work against domain controllers running 2008 or 2008R2 as long as PowerShell remoting is enabled on the PDC emulator in the forest root domain.

      Reply
  14. DP

    ran script as is – no changes or variable changes

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Credential
    A Using variable cannot be retrieved. A Using variable can be used only with In
    voke-Command, Start-Job, or InlineScript in the script workflow. When it is use
    d with Invoke-Command, the Using variable is valid only if the script block is
    invoked on a remote computer.
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : UsingWithoutInvokeCommand

    Reply

    • When you are prompted for credentials, you must specify credentials that have rights to read the security event log on the PDC emulator in the forest root domain. Either a domain admin in that domain or an account that has been granted sufficient rights.

      Reply
  15. DP

    [CmdletBinding()]
    param (
    [ValidateNotNullOrEmpty()]
    [string]$DomainName = $env:USERDOMAIN,

    changed USERDOMAIN to my actual domain

    New-Object : Exception calling “.ctor” with “2” argument(s): “The specified str
    ing parameter is empty.
    Parameter name: name”
    At C:\scripts\Get-LockedOutUser.ps1:43 char:19
    + New-Object <<<< System.DirectoryServices.ActiveDirectory.DirectoryCo
    ntext('Domain', $DomainName))
    + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvoca
    tionException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power
    Shell.Commands.NewObjectCommand

    Really? so informative (sarcasm)

    Reply

    • No need to change the script. This is a “parameterized” script and an alternate domain can be specified when calling the script as specified in the help.

      Reply
  16. DP

    So for whoever this worked for – did you have to re-write the entire thing? absolutely nothing in this script works

    Reply
  17. Shakiel

    Awesome scripts sir. i just solved a problem that use to take me days to figure out. record time 2 minutes. The user is over the moon.(- _ -)

    Reply
  18. Jesse Williams

    I am having this issue:

    The system cannot find the path specified
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogNotFoundException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogNotFoundException,Microsoft.PowerShell.Comman
    ds.GetWinEventCommand
    + PSComputerName : DC1-***-***.******.*****

    I can confirm that I am on version 3 and on 2008 R2.

    Any help on this would be awesome.

    Reply

    • I realise this is quite an old post, but I’m getting the same error message – PSv3 and 2008R2.

      Reply

Leave a Reply