Using PowerShell to Find and Unlock Active Directory Account Lockouts

Active Directory (AD) and Azure Active Directory (AAD) are critical components for IT infrastructure: responsible for everything user account based from managing employee onboarding and offboarding, access permissions, network resources, and devices. Due to AD’s crucial role, cyber attacks cause significant disruptions, leading to operational and business outages and losses.

As a result of one of the most common challenges that administrators face is account lockouts. Account lockouts disrupt user productivity and generate support tickets. In this blog post, we’ll walk you through a step-by-step guide on how to use PowerShell to quickly check for Active Directory account lockouts and take appropriate actions to resolve them.

Note: To run these PowerShell commands, you need to have the appropriate permissions in Active Directory. Make sure you have the necessary rights to search for and manage user accounts.

Remember to exercise caution when unlocking accounts, as it may have security implications. It’s important to verify the reason for the account lockout and ensure that unlocking the account is appropriate based on your organization’s security policies.

Listing Locked Accounts Using Powershell

Step 1: Open PowerShell

To get started:

Type powershell in the Start menu and select Run As Administrator

You can find this option by pressing the Windows key and typing “powershell” to bring up the launch options.

Step 2: Import the Active Directory Module

Before you can search for locked-out accounts, you need to import the Active Directory module into your PowerShell session. This module provides a set of cmdlets specifically designed for managing Active Directory. To import the module, type the following command and press Enter:

Import-Module ActiveDirectory

Step 3: List the Accounts with AD Lockouts:

Now that you have the Active Directory module loaded, you can use the Search-ADAccount cmdlet to find locked-out accounts in your domain. To search for locked-out accounts across the entire domain, use the following command:

Search-ADAccount -LockedOut

This command provides a quick real-time snapshot of locked accounts in your AD environment.

Finding Account Lockout Events (Event Viewer ID 4740)

Retrieving Locked Accounts by EventID 4740

If you’re looking for more detailed information including historical events, searching the security event log is the best option. Event ID 4740 specifically corresponds to account lockout events in Active Directory, providing crucial information such as the locked account name, time of the event, and the source computer that triggered the lockout.

The PowerShell command filtering for EventID 4740 is as follows:

Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4740} | Format-List

Here’s a breakdown:

Get-EventLog -LogName Security: This part of the command retrieves events from the Security event log.

Where-Object {$_.EventID -eq 4740}: This filters the events to only include those with Event ID 4740, which specifically corresponds to account lockout events.

Step 4: Filtering the Search by Organizational Unit

If you want to narrow down your search to a specific organizational unit (OU) or apply other filtering criteria, you can use additional parameters with the Search-ADAccount cmdlet. For example, to search for locked-out accounts within a specific OU, use the following command:

Search-ADAccount -LockedOut -SearchBase “OU=<YourOU>,DC=<YourDomain>,DC=<com>”

Make sure to replace “YourOU”, “YourDomain”, and “com” with the appropriate parts of your fully qualified domain name.

Step 5: Review the Results

After running the Search-ADAccount cmdlet, PowerShell will display a list of locked-out accounts based on your search criteria. Take a moment to review the list and identify the accounts that require attention. You can then decide whether to unlock the accounts or take other appropriate actions based on your organization’s security policies.

Unlock a Locked-out Account with Powershell

Step 6: Unlock a Locked-Out Account

If you identify a locked-out account that needs to be unlocked, PowerShell provides a convenient way to do so using the Unlock-ADAccount cmdlet. To unlock a specific user account, use the following command:

Unlock-ADAccount -Identity “<UserName>”

Replace “<UserName>” with the actual username of the account you want to unlock.

Step 7: Close PowerShell

Once you have completed checking for account lockouts and performing any necessary actions, you can close the PowerShell window with the “exit: command or simply closing the window.

Conclusion

Using PowerShell to check for Active Directory account lockouts is a quick and efficient way to identify and resolve issues that may impact user productivity. By following the steps outlined in this guide, you can easily search for locked-out accounts, filter your search results, and unlock accounts if needed.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.

FREE TRIAL