How to find the location of a locked out user account in Active Directory (PowerShell)
Introduction
This PowerShell script shows how to find the location of a locked out user account in domain.
Scenarios
There are many reasons causing accounts to be locked out. The user has logged onto another machine, and not logged off. Then, if the user has changed their password while the other machine is logged in, it could be requesting resources using the old (and now incorrect) password. Every time it tries to get a network resource that requires authentication it will cause a bad password attempt. This script can scan where the location of a locked out user account is.
Script
Step1: Start the PowerShell Console with administrator. To run the script in the Windows PowerShell Console, type the command< Script Path> at the Windows PowerShell Console.
For example, type C:\Script\GetLockoutLocation.ps1
It will list information of all locked out accounts.
If you just want to get several user accounts, you can type C:\Script\GetLockoutLocation.ps1 -SamAccountName "katrina" as below:
You can even type the Get-Help C:\Script\GetLockoutLocation.ps1 -Full to display the entire help file for this function, such as the syntax, parameters, or examples.
Here are some code snippets for your reference.
If($SamAccountName)
{
Foreach($Account in $SamAccountName)
{
$LockedOutAccount = Get-ADUser -Filter {SamAccountName -eq $Account} -Server $DC.HostName `
-Properties SamAccountName,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount,LockedOut|`
Where{$_.LockedOut -eq $true} | Select-Object SamAccountName,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount,LockedOut
$LockedOutInfo = $LockedOutAccount|Foreach{New-Object -TypeName PSObject `
-Property @{SamAccountName = $_.SamAccountName;
LogonLocation = $($Name = $_.SamAccountName;`
$Objs|Where{$_.SamAccountName -eq $Name}|Sort -Unique|`
Select -ExpandProperty Location);
AccountLockoutTime = $_.AccountLockoutTime
LastBadPasswordAttempt = $_.LastBadPasswordAttempt;
badPwdCount = $_.badPwdCount}}
$LockedOutInfo | Select amAccountName,LogonLocation,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount
}
}
If($SamAccountName) { Foreach($Account in $SamAccountName) { $LockedOutAccount = Get-ADUser -Filter {SamAccountName -eq $Account} -Server $DC.HostName ` -Properties SamAccountName,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount,LockedOut|` Where{$_.LockedOut -eq $true} | Select-Object SamAccountName,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount,LockedOut $LockedOutInfo = $LockedOutAccount|Foreach{New-Object -TypeName PSObject ` -Property @{SamAccountName = $_.SamAccountName; LogonLocation = $($Name = $_.SamAccountName;` $Objs|Where{$_.SamAccountName -eq $Name}|Sort -Unique|` Select -ExpandProperty Location); AccountLockoutTime = $_.AccountLockoutTime LastBadPasswordAttempt = $_.LastBadPasswordAttempt; badPwdCount = $_.badPwdCount}} $LockedOutInfo | Select amAccountName,LogonLocation,AccountLockoutTime,LastBadPasswordAttempt,badPwdCount } }
Prerequisite
Windows PowerShell 2.0
Windows Server 2008 R2 or higher version
Microsoft All-In-One Script Framework is an automation script sample library for IT Professionals. The key value that All-In-One Script Framework is trying to deliver is Scenario-Focused Script Samples driven by IT Pros' real-world pains and needs. The team is monitoring all TechNet forums, IT Pros' support calls to Microsoft, and script requests submitted to TechNet Script Repository. We collect frequently asked IT scenarios, and create script samples to automate the tasks and save some time for IT Pros. The team of All-In-One Script Framework sincerely hope that these customer-driven automation script samples can help our IT community in this script-centric move.