Find Location of Locked Out Accounts

Find Location of Locked Out Accounts

I’m locked out, help!

If you’ve been a sys admin for more than a week you’ve probably heard this…”I’m locked-out, help!”.  Normally the user has made their way to your cube and is impatiently tapping their foot waiting for you to magically solve there problem.  So you find their account, reset their password and everything is right with the world…Or is it?  Two minutes later they show up again because their account was locked-out before they even got back to their desk.  Now what do you do?  They tell you that they just changed their password before leaving work the day before and everything was fine, but now they keep getting locked out.

I realize there are many ways that a user’s account can become locked-out.  OK, well, not really.  There is only one.  Somewhere, somehow their passwords are being entered incorrectly.  HOW that bad password is getting entered can vary, but they typically fall somewhere between forgetting a password and an apocalyptic virus.  For our discussion we will assume the world has not ended.  Although, once you see the solution (and make sure the bug is squished) you may have a better understanding of how PowerShell can SAVE you in those kinds of situations.

Back to helping our user…

After some more conversation with the user we determine that they must have left a session open to another computer or server, but which one and how do we find it?

In the GUI world you’d have to determine which domain controller holds the PDC Emulator role by right clicking on the on the domain name in ADUC.  Once you have this info you would need to remote into that domain controller to pull up the event logs.  Then you need to filter on event id 4740 and manually read through each entry to find the server or computer where they last logged into.  Then you can FINALLY remote in to that machine to kill their sessions.  There is a better way.  Enter Get-AccountLockoutLocation.

Get-AccountLockoutLocation

To put it simply this script does exactly what I just described above…

Get all the user accounts that are locked-out

  • For each one of those accounts find out which domain controllers have a record of their lock-out
  • Figure out which domain controller is the PDC Emulator ( this is the one that has the event logs we need)
  • Go through all the event logs looking for Event ID 4740 and the user’s name ( this will tell us where the lock-out happened)
  • Then give me a list of that information.

This is really just a starting point.  There are lots of ways to expand on this script like…

  • Adding email notifications
  • Throwing this into a scheduled task
  • Include all the properties in one New-Property
  • Having it auto unlock a person

As always the full script is available in the Script Repository so feel free to download it and use it anyway you see fit.  If you like what you see or have any questions please leave a comment below and make sure to sign up for our newsletter.

 

Happy Scripting!

 

 

  • Pingback: Find Location of Locked Out Accounts » PowerShell.org()

  • Dan Potter

    (get-addomain).pdcemulator would be a better way to get the pdc.

    • poshguru

      Since I use $DomainControllers variable later in the script it seemed to make sense to just call from an existing variable rather than make multiple calls back to Active Directory. That’s probably the best thing about PowerShell…there are at least 7 different ways to skin a cat. I realize for such a short script the performance hit would be negligible, but I try to make my scripts run as efficiently as possible. Let me know if you think I’m totally off-base here. Thanks for commenting I really appreciate the feedback and keep them coming!

      Thanks,

      Matt Laird

    • Since I use $DomainControllers variable later in the script it seemed to make sense to just call from an existing variable rather than make multiple calls back to Active Directory. That’s probably the best thing about PowerShell…there are at least 7 different ways to skin a cat. I realize for such a short script the performance hit would be negligible, but I try to make my scripts run as efficiently as possible. Let me know if you think I’m totally off-base here. Thanks for commenting I really appreciate the feedback and keep them coming!

      Thanks,

      Matt Laird

  • chad haston

    The above function above is missing the closing “}” easy to find but posting for anyone that might be new to PowerShell