🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Get Locked-out Users in Active Directory

Account lockout in Active Directory is a vital defense against brute force attacks, password spraying, and other malicious activities. However, frequent lockouts can disrupt user access, flood your help desk with tickets, and impact productivity across your organization. This guide shows how to quickly find locked-out users in Active Directory and balance robust security with seamless usability.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Find Locked-out Users Using Active Directory PowerShell

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Ensure the Active Directory PowerShell module is installed in your environment.
  • Execute the cmdlet below to get all locked-out users in Active Directory.
  • Search-ADAccount -LockedOut -UsersOnly | Select-Object Name, DistinguishedName, Enabled, PasswordExpired, LockedOut | Format-Table -AutoSize
    get-locked-out-users-powershell
  • To check the lockout status of a specific user, use the following cmdlet.
  • Get-ADUser <UserName> -Properties * | Select-Object LockedOut
    locked-out-property-for-specific-user

Check Locked-out Users Using Active Directory Users and Computers

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open Active Directory Users and Computers (ADUC) from Server Manager»Tools.
  • Locate and right-click the user account you want to inspect.
  • Select Properties and go to the Account tab.
  • If the account is locked, a message will be displayed near the Unlock account checkbox stating: This account is currently locked out on this Active Directory Domain Controller.
Check Locked-out Users Using Active Directory Users and Computers

This method requires manually checking each account, which can be time-consuming.

View Locked-out Users Using Saved Queries in ADUC

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers console on a domain controller.
  • In the left-hand pane, right-click on Saved Queries, select New, and then choose Query.
  • Provide a suitable Name and Description for the query.
  • By default, the query is performed across the entire Active Directory domain. To narrow the search, specify a container in the Query root field. To include subcontainers, select the Include subcontainers checkbox.
  • Click on Define Query, and from the Find drop-down box, select Custom Search.
  • Navigate to the Advanced tab and enter the following LDAP filter in the query box:
  • Windows PowerShell Windows PowerShell 
     (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
  • Click OK twice to save the query. The new query will appear under Saved Queries and contain a list of locked-out user accounts in Active Directory.
View Locked-out Users Using Saved Queries in ADUC
  • Note: Microsoft cautions that this method may not always deliver accurate results.
AdminDroid Active Directory Reporter

Audit Account Lockout Events in Active Directory with AdminDroid

AdminDroid’s Active Directory auditing tool provides detailed insights into account lockout events. It offers comprehensive reports on lockout frequency, affected users, specific causes, etc. Let’s explore how AdminDroid’s features help you efficiently trace, diagnose, and resolve lockouts.

Track Logon Failures After Account Lockouts in Active Directory

Auditing failed logons after account lockouts help to resolve recurring lockout issues, uncover misconfigurations, and maintain uninterrupted user access.

Get Real-Time Alerts for Locked-out Accounts in AD

Receive immediate notifications for locked-out user accounts in AD with AdminDroid alerts to minimize downtime, respond swiftly, and maintain seamless operations.

Find Users with Account Lockout History in Active Directory

Easily pinpoint all users with lockout history in Active Directory to identify trends & patterns, troubleshoot system issues, or optimize lockout policies.

Spot Users with Soon-to-expire Passwords to Prevent Lockouts

Identify users with soon-to-expire passwords to ensure they update them regularly and avoid getting locked out due to expired credentials in Active Directory.

Monitor Admin Accounts with Old Passwords to Avoid Lockouts & Disruptions

Regularly check admin accounts with old passwords in Active Directory to prevent lockouts and disruptions to admin operations, as these accounts are vulnerable to brute-force attacks

Regularly Schedule Lockout Reports to Catch Threats Early

Schedule reports on lockout history to identify frequently locked-out users and detect potential threats like password spray attacks or denial-of-service attacks.

In conclusion, AdminDroid’s Active Directory management tool simplifies identifying lockout sources, analyzing failed logon attempts, and preventing repeated account lockouts. AdminDroid empowers you to strike the perfect balance between robust security and seamless user access!

Explore a full range of reporting options
Download Live Demo

Important Tips

Use the Account Lockout Status diagnostic tool to retrieve and display lockout-related information for user accounts across domain controllers in a forest.

Identify recent password changers in AD to prevent account lockouts caused by missed password updates in scheduled tasks, apps, or services.

Verify Active Directory replication health to ensure lockout status is synchronized across domain controllers and prevent inconsistent responses.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while finding AD user account lockouts.

Error As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support.

This error occurs when the user's account is locked out in Active Directory due to repeated invalid logon or password change attempts.

Fix To resolve this, unlock the user account in Active Directory Users and Computers (ADUC). Simply navigate to the Account tab of the user profile and click Unlock account to restore access.

Error Get-ADUser : Cannot find an object with identity: 'liya' under: 'DC=domain,DC=onmicrosoft,DC=com'.

This issue occurs when you attempt to retrieve the locked-out property for a specific user in Active Directory using PowerShell.

Fix Verify that you have entered the correct sAMAccountName of the user in Active Directory.

If an error occurs, retrieve all users and their sAMAccountName to verify if the user exists in Active Directory by running the following cmdlet: 
// To verify the correct sAMAccountName of the user in Active Directory
Get-ADUser -Identity <sAMAccountName>
//To verify if the user exists in Active Directory by running the following cmdlet:
Get-ADUser -Filter * -Properties *|Select-Object sAMAccountName, DisplayName| Format-Table

Error Search-ADAccount : Parameter set cannot be resolved using the specified named parameters.

This error occurs when conflicting or missing parameters are used with the Search-ADAccount cmdlet in Active Directory PowerShell.

Fix Ensure that you are providing valid search parameters. For example, to search for locked-out objects, use the -LockedOut parameter as shown below: 
Search-ADAccount -LockedOut

Error The query filter is not a valid query string.

This issue occurs when an invalid LDAP query filter is entered while searching for locked-out users using Saved Queries in Active Directory

Fix Make sure the query filter is formatted correctly.

1. How to identify the source of an Active Directory account lockout?

The source of an account lockout in Active Directory refers to the specific computer or device accessed by the user, which triggered the lockout due to repeated invalid login attempts. Identifying the source helps admins pinpoint the cause, whether it’s a misconfigured device, forgotten credentials, or a malicious attack.

Here’s how to identify the source of account lockouts in Active Directory.

  • In each domain, the domain controller holding the PDC Emulator role captures all account lockout events, regardless of the system where they occurred. Identify that DC using the PowerShell cmdlet below in Active Directory.

    Get-ADDomain | Select-Object PDCEmulator

    If your organization has only one domain controller, you can skip this step.

  • Open the Event Viewer from Server Manager»Tools. Then, navigate to Windows Logs»Security.

  • Then, select Filter Current Log and specify Event ID 4740, which corresponds to account lockout events and click OK.

  • Locate the log entry for the affected account and check the Caller Computer Name field to identify the system where the lockout occurred.

source-account-lockout-ad

Admins often face the challenge of manually filtering and verifying events to identify the source computer behind account lockouts in Active Directory. This tedious process can be time-consuming and prone to error.

Effortlessly track source computers of account lockouts with AdminDroid!

  • This report offers a detailed view of key information, such as the locked account, associated source computer, lockout time, and more—all in one place.
  • With AdminDroid, you can filter lockouts by each source computer and quickly identify the root cause, such as a misconfigured service or incorrect password attempts.
filter-source-computer

2. How to find the cause of an AD account lockout?

Account lockouts in Active Directory aren’t always caused by incorrect password attempts. They can also result from various issues like programs using cached credentials, expired passwords in Windows services, or outdated credentials in scheduled tasks.

These hidden causes can disrupt workflows and expose the system to security risks. Identifying the cause of an account lockout is crucial for resolving the issue quickly and ensuring system security.

Identify why a user account is locked-out in Active Directory

  • Open Event Viewer and navigate to the Windows Logs»Security»Filter Current Log (Actions pane).
  • Then enter 4625 as the Event ID to filter for failed logon attempts. Click OK to apply the filter.
  • Use the Find feature from the action pane, and search for the username associated with the account lockout.
  • Look for an event logged shortly after the account lockout time and double-click the log entry to view its properties.
  • Scroll down to examine the details, such as the failure reason, caller process name, IP address, and more.
faq-03

By tracing the cause of a user account lockout, admins can make informed decisions to prevent future incidents and ensure smooth access.

3. How to unlock user accounts in Active Directory?

User accounts in Active Directory can become locked when incorrect login attempts exceed the set threshold. This security feature helps prevent unauthorized access by temporarily locking out the account.

However, legitimate users may occasionally get locked out, for example, if they forget their password or mistakenly enter incorrect credentials too many times. As an administrator, unlocking these accounts promptly ensures users can regain access to their resources without compromising security.

Unlock Active Directory Users in ADUC

  • Open Active Directory Users and Computers and navigate to the respective OU.
  • Right-click the user account you want to inspect.
  • Select Properties and go to the Account tab in the user's properties window.
  • Select the Unlock account checkbox and click Apply.
  • Click OK to close the window.
unlock-user-active-directory

Unlock locked-out accounts using PowerShell

You can efficiently unlock multiple locked accounts simultaneously using PowerShell and streamline bulk operations for administrators.

  • Run the following PowerShell cmdlet to unlock a specific user in Active Directory. Ensure to replace the <UserName> with the SAM account name. 
    Unlock-ADAccount <UserName>
  • You can unlock a group of users within an Organizational Unit by using the cmdlet below. Just replace the distinguishedName of the OU in –SearchBase parameter before executing it. 
    Search-ADAccount -LockedOut -UsersOnly -SearchBase "<OUdistinguishedName>" | Unlock-ADAccount
  • If you need to unlock all locked-out users in Active Directory, execute the cmdlet below. 
    Search-ADAccount -LockedOut -UsersOnly | Unlock-ADAccount

While unlocking accounts is an essential administrative task, it’s important to stay vigilant. What if an unlock action is performed by a compromised account? It could lead to serious security risks. To mitigate these risks, closely monitor unlocked accounts for any signs of unauthorized access or suspicious activity.

When native methods fall short, AdminDroid makes auditing unlocked users effortless!

  • The unlocked users report provides detailed information on each unlock event in Active Directory, such as unlocked time, unlocked user, who unlocked the account, and more.
  • This helps admins track unapproved unlock activities and quickly identify potential security threats.
unlocked-users-admindroid-report

4. How to configure the AD account lockout policies?

Account lockout policies are a built-in security feature in Active Directory that lets administrators define when a user account should be locked and for how long. These policies are highly effective in mitigating password-guessing attacks. By configuring these account lockout policies, you can:

  • Prevent unauthorized access by mitigating brute force and password spraying attacks.
  • Balance security and usability effectively by configuring policies to minimize disruptions.

Set up account lockout policies in Active Directory

  • Open Group Policy Management Console (GPMC) via Server Manager»Tools.
  • Select your domain, right-click the Default Domain Policy, and choose Edit.
  • Navigate to Computer Configuration »Policies»Windows Settings»Security Settings »Account Policies »Account Lockout Policy.
  • Adjust the following settings:
    • Account Lockout Duration: Set how long a locked account remains inaccessible after failed login attempts.
    • Account Lockout Threshold: Define the number of failed login attempts that trigger account lockout.
    • Reset Account Lockout Counter After: Specify the number of minutes that must pass after a failed login attempt before the counter for failed attempts is reset to zero. If an account lockout threshold is set, this reset time must be less than or equal to the account lockout duration.

By following these steps, you can set up a domain-wide account lockout policy that protects against unauthorized access while ensuring usability. You can also create custom policies to align with your organization's needs. However, monitoring these policy changes is equally crucial to detect unauthorized modifications and maintain a secure environment!

Struggling with native methods to monitor these policies? AdminDroid simplifies domain lockout policy tracking and makes audits easier!

  • The domain lockout policy changes report highlights key details like modification date, time, responsible account, updated configuration, and more.
  • With these insights, admins can quickly spot unauthorized changes, investigate their source, and take corrective actions to restore the intended security settings.
domain-lockout-policy-chart

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Get Locked-out Users in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo