Find Locked-Out Active Directory Accounts with PowerShell

The everyday help-desk task. These use the ActiveDirectory module (part of RSAT — install it, or run from a DC / management box).

Install the module (once, admin)

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

List all locked-out accounts

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate

Locked-out, enabled accounts only

Search-ADAccount -LockedOut -UsersOnly | Where-Object Enabled -eq $true |
  Select-Object Name, SamAccountName

Check one user

Get-ADUser jdoe -Properties LockedOut, BadPwdCount | Select-Object Name, LockedOut, BadPwdCount

Unlock an account

Unlock-ADAccount -Identity jdoe

Unlock everyone who’s locked (use with care)

Search-ADAccount -LockedOut | Unlock-ADAccount

Notes: if Search-ADAccount/Get-ADUser aren’t recognized, the ActiveDirectory module isn’t installed (RSAT) — see the install line above, or Import-Module ActiveDirectory once it’s present. To find where the lockouts originate, query the DC’s Security log for event 4740 (the account-lockout event) with Get-WinEvent.