Find AD User Account Lockout Events with PowerShell
A few weeks ago a user contacted me and stated they were constantly being locked out throughout the day. This could have been caused by a number of things from someone else trying to log in as them to being logged in somewhere else, changing their password and the session with the old password still being active. I ran a search of the security event log on the domain controllers and found the name of the machine that the user was being locked out from. The event ID for lockout events is 4740 for Vista / 2008 and higher and 644 for 2000 / XP / 2003. Here’s the PowerShell script I used to find the lockout events:
1$logName = 'security'
2$pcName = 'dc01', 'dc02', 'dc03'
3$eventID = '4740'
4Get-EventLog -LogName $logName -ComputerName $pcName |
5Where-Object {$_.eventID -eq $eventID} |
6Format-List -Property timegenerated, replacementstrings, message
Based on these results, the user is being locked out from a machine named "PC01":
The problem was that the user recently changed their password and had some out of date credentials saved in the Windows 7 Credential Manager:
This cmdlet will search Active Directory and list all of the accounts that are locked out:
1Search-ADAccount -LockedOut
Here's the results of that command:
You can use the following PowerShell command to unlock the Active Directory account:
1$name = 'mike'
2Unlock-ADAccount -Identity $name
µ