PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

I recently received a request to determine why a specific user account was constantly being locked out after changing their Active Directory password and while I’ve previously written scripts to accomplish this same type of task, I decided to write an updated script.

Active Directory user account lockouts are replicated to the PDC emulator in the domain through emergency replication and while I could have used the Get-ADDomain cmdlet to easily determine the PDC emulator for the domain:

pdc-emulator

That would have had a dependency of requiring the RSAT tools to be installed on the workstation this script was being run from so I decided to use the .NET framework to accomplish that particular task to eliminate the Active Directory module dependency:

pdc-emulator-netframework

If you’re interested in using the .NET framework to determine the Active Directory FSMO role holders with PowerShell, I wrote a blog article titled “PowerShell Function to Determine the Active Directory FSMO Role Holders via the .NET Framework” that covers that subject in more detail.

This “Get-LockedOutUser.ps1” script allows you to specify the following via parameter input to narrow down the results:

  • Specific userid, defaulting to all locked out userid’s
  • Start time to begin searching records for, defaulting to the last three days
  • Domain name to search for lockouts in, defaulting to the user’s domain who is running the script

The script prompts for alternate credentials because in my opinion, you shouldn’t be running your PowerShell session with elevated credentials:

ad-lockout-device0

As you can see, jimmy0 is being locked out by a device named PC01:

ad-lockout-device1

The StartTime parameter can be used to specify more or fewer days if the default of three days doesn’t meet your needs as shown in the following example where one day is used:

ad-lockout-device2

The script shown in this blog can also be downloaded from the TechNet script repository.

µ

About Mike Robbins

PowerShell Enthusiast | IT Pro | Winner of the Advanced Category in the 2013 PowerShell Scripting Games | Author of Chapter 6 in the PowerShell Deep Dives Book.
This entry was posted in Active Directory, PowerShell and tagged , . Bookmark the permalink.

4 Responses to PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

  1. Pingback: Episode 251 – PowerScripting Podcast – Josh Swenson talks about using PowerShell | PowerShell.org

  2. Really nice script and good description too. However, I’m getting an error when running it: “A null value was encountered in the StartTime hash table key. Null values are not permitted”.
    Do you know what might be wrong? Thanks

  3. Lyndon says:

    I have the same issue? Hope its something simple, as this tool will be fantastic for me.

    • Lyndon says:

      This is the entire error I get.

      A null value was encountered in the StartTime hash table key. Null values are not permitted.
      + CategoryInfo : InvalidArgument: (StartTime:String) [Get-WinEvent], Exception
      + FullyQualifiedErrorId : NullNotAllowedInHashtable,Microsoft.PowerShell.Commands.GetWinEventCommand

Leave a Reply