Troubleshoot locked out user in Active Directory

One common thing we experience every once in a while is that users are getting continually locked out of their Active Directory account.

This can happen if one of their devices is trying to authenticate with an old password they recently changed.

Troubleshoot locked out account with PowerShell

Let’s first see if the user is locked out:

Get-ADUser jsmith -Properties * | Select-Object LockedOut

So he is locked out, yes?

Now let’s see how many times the user tried to log on to the account using an incorrect password (A value of 0 indicates that the value is unknown):

Get-ADUser jsmith -Properties * | Select-Object badpwdcount

Note that when the user logs in successfully the counter is reset.

Let’s see if there are a lot of other users locked out:

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName

Let’s unlock user a user to see if that helps:

Unlock-ADAccount -Identity jsmith

List all users bad password count:

# Get all users in AD that has an employeeID attribute
$dcs = get-adcomputer -Filter 'employeeID -like "*"'

# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;

# Loop through all users found
foreach ($user in $users) {
    $badpwdcount = 0;

    # Loop through each domain controller
    foreach ($dc in $dcs) {
        $newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;

        # Increment bad password count
        $badpwdcount = $badpwdcount + $newuser.badpwdcount;
    }

    # Highlight account if bad password count is greater than 0
    if ($badpwdcount -gt 0) {
        $outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
    }
    else {
        $outline = $user.name + " - Badpwdcount: " + $badpwdcount;
    }

    write-host $outline;
}

Account continues to go in LockedOut

Most commonly this happens when the user recently has had an expired password.

If the user continues to go in lockedOut the user most probably has a device somewhere that is stuck trying to login with an old password. This will continue to block the account just seconds after you open it.

The easiest way to find out what is causing this is by process of elimination. Make sure the user completely shuts down all of his devices. Then turn on one by one.

As soon as the user turns on a device and the account starts going in locked out again, you know that this device is causing the problem.

If you need further tools to troubleshoot check out Account Lockout Tools by Microsoft.

Sources:

https://hkeylocalmachine.com/?p=107

Leave a Reply

Your email address will not be published. Required fields are marked *