kras99 -


How to fix Active Directory account lockouts with PowerShell

With more apps and credentials to juggle, users can get blocked from their accounts after too many login attempts. Learn to use PowerShell to find and fix these issues.

Accidents can happen, but when it comes to failed login attempts, enough of them can freeze you out of your work laptop until someone from IT comes to the rescue.

Many organizations lock a user account after a set number of failed logon attempts. The goal is to prevent attacks from hackers who try brute force to find a user's password. However, not all lockouts are from malicious sources or even by users who forget their passwords.

Applications can sometimes lead to account lockouts. Applications often rely on a service account for the necessary permissions to function. However, if the service account's password changes and the application does not get the updated password, this can cause a lock on the service account.

Redundant logon information is also another common cause of account lockouts. An enterprise user might have a dozen or more sets of credentials tied to a common username. It takes some effort to keep track of all these accounts. It's not difficult to foresee someone accidentally using the wrong set of credentials multiple times and causing an account lockout.

How to proactively avoid lockout issues using automation

Account lockouts can also occur when users change work locations. A common scenario is when a user switches from working on a domain-joined Windows desktop in the office to a different Windows machine at home that is not currently connected to a network. Because the laptop is offline, it has not recorded the password change. The user must log in with the old password. If the user brings the laptop into the office and attempts to access the network, then the password mismatch, combined with end-user confusion, could lead to an account lockout.

Why are account lockouts a problem for IT?

One of the main reasons why account lockouts tend to be so problematic is that they tend to happen silently. As an administrator, you might never even know that an account lockout has occurred unless a user calls or you see an account lockout event listed in the Windows event logs. However, you can use PowerShell automation to gain a better handle on account lockout events.

Search the event logs

To stay ahead of these lockout situations, one option is to use PowerShell to check for lockouts in event logs with the following command:

Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} | Select-Object TimeCreated, Message | Format-Table -Wrap

The Get-WinEvent cmdlet queries event logs. The FilterHashTable portion specifies the items to search for within the logs. In this case, the LogName parameter points the Get-WinEvent cmdlet to search the Windows Security log. Additionally, the ID parameter looks for instances of Event ID 4740, which refers to account lockout events.

The results are then piped into the Select-Object cmdlet, which displays the event created time and the event message. Normally, PowerShell truncates the account lockout message, but the Format-Table cmdlet, along with the Wrap parameter, forces PowerShell to display all the pertinent information.

PowerShell lockout query
Use PowerShell to query the event logs and display Active Directory account lockout events.

In a production environment, this Active Directory account lockout query could return an excessive number of results because it checks the Security event log for all instances of Event ID 4740, regardless of when the event occurred. The best way to address this problem is to use the StartTime filter. For example, the following command looks at events that have occurred in the last 24 hours:

Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740;StartTime=$Start}
| Select-Object TimeCreated, Message | Format-Table -Wrap

The first command creates a variable named $Start and sets it to the previous 24 hours via AddDays(-1). To check the previous weeks' worth of logs, use AddDays(-7).

The second command is identical to the earlier code except StartTime=$Start is added to the filter hash table. This instructs PowerShell to ignore results older than the date and timestamp in the $Start variable.

How to check an account's lockout status

Another way PowerShell assists with Active Directory account lockouts is using the Get-ADUser cmdlet to check the lockout status of the account. Use the following command to retrieve attributes related to Active Directory user accounts.

Get-ADUser -Identity <username> -Properties * | Select-Object LockedOut, AccountLockoutTime, BadLogonCount

The Identity parameter specifies the account name for the user to investigate. In this case, retrieve all the account's properties, and then use Select-Object cmdlet to display the lockout status, when the lockout occurred and the number of failed login attempts. Incidentally, the LockedOut property contains a value of true or false: A locked account shows true, while an unlocked one shows false.

To unlock an account, use the following PowerShell command, replacing <username> with the name of the user whose account you wish to unlock.

Unlock-ADAccount <username>
verify account status
Use PowerShell to check an account's status and, if necessary, to unlock an account.

PowerShell's Get-ADUser cmdlet retrieves a user's account lockout status. In this case, a value of true indicates that the user's account is locked. The Unlock-ADAccount cmdlet unlocks the account. You can use the Get-ADUser cmdlet to verify the unlock was successful.

PowerShell scripting can address wide-scale problems

PowerShell gives you the basic tools to detect and resolve account lockout events. You can use the commands and techniques in this article to build on and create automated scripts to help resolve account lockout events at scale.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop