Being locked out of their accounts is another reason users call the help desk costing IT departments valuable time and money. For end users, being unable to login is a show-stopper for productivity.
The locked out condition is different than an expired or disabled account. Both of these states you have control over as an administrator. Locking out a user can’t be done directly and generally by administrators and generally happens as a result of password policies set to do so when a user has entered an incorrect password some number of times.
Find Locked Out Users in Active Directory Using PowerShell
When you run the following scripts on your server, they will fetch users who are locked out on a particular domain. With a little bit of effort, you could do this for multiple domains and/or export the results to a CSV, HTML file, or send them in an email.
Method #1
import-module activedirectory
Get-ADUser -LDAPFilter "(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))"
This first method uses an LDAP query on the “lockoutTime” attribute in Active Directory.
Method #2:
import-module activedirectory
search-adaccount -lockedout
You might also want to use a service account (“-Credentials” on your PowerShell commands) to keep things more secure. There are several other methods that don’t require RSAT (and the “activedirectory” module). These are the most convenient techniques to start.
Web Active Directory’s PeopleAudit
Web Active Directory’s PeopleAudit allows you to run a report like this on demand. Also, you can delegate it safely for others in your organization to run via their web browser. Users can filter and sort the results on the fly, and with a single button press print the results or export to your clipboard, PDF, Excel, or CSV.
Safely and securely specify the service account to use to perform the reporting tasks. Customize the report results and filters without scripting or coding.
Schedule these reports to be delivered to you or others in your organization via configurable emails.