Find locked out user accounts in Active Directory using PowerShell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys in this video I will show you how to find user accounts that got their account locked out using Powershell there could be many reasons why an account lockout occurs and trying to attempt to log in with the wrong password or if there is a Brute Force attack on your accounts if your network has been infected with malware account lockouts affect users who rely on their active directory domain account re-enabling the account is a temporary solution but identifying the root cause of the problem is crucial to prevent repeated occurrences you can use the Powershell commandlet search ad account to locate all locked out accounts on your domain I'm simply going to run the command search hyphen ad account using the locked out parameter minus locked out I will press enter you can see two users test user one and test user 2 are currently locked out this command is great but what if you have an account that keeps getting locked out every time you try to authenticate in this scenario you need to find out which system is triggering the bad authentication request this is a common task when you have a malware infection somewhere on your network or When an Admin forgets to log out of a remote desktop session or when a wrong password is cached in some application or computer just so you know all password authentication will go through the domain controller holding the PDC emulator role therefore it is always the best place to check to find the domain controller with PDC emulator role check the PDC emulator property written by the get hyphen ad domain command I'll press enter you can see here that dc-02 is the PDC emulator after knowing the domain controller that holds the PDC emulator role you should query its security event log for event ID 4740 this event is triggered when an account is locked out to find those events use the get win event commandlet I'm already on dc-02 which is my PDC emulator so if I type hostname you can see I'm on bc02 to execute the command type get hyphen win event minus filter hash table log name security and for the id4740 and then press enter this will Now list all events related to account blockout however by default it doesn't display the username or computer name associated with the bad authentication request also in my case the list is very small but in a production environment it will be much larger to get the username from all account lockout events and the computer name associated with the bad authentication requests you need to query the properties that get hyphen win event returns but first use a filter to query the security event law for id4740 so I'm going to use a variable called filter and I'm going to query the security logs for the event id4740 and I'm going to press enter next I'm going to type get hyphen win event with the hash table filter dollar filter next I will use select object to retrieve the username and computer name from an event using properties dot value 0 and properties dot value one respective by using Expressions all right I will press enter in each of these events the username that was locked out is always the first element in the properties array while the second element is always the computer name where the lockout occurred after identifying the user accounts and the computer names that are triggering the bad authentication requests you should investigate that computer to determine the root cause of the issue it could be one of the reasons mentioned previously you could then proceed to unlock those accounts in my case you can see the computer name where the bad authentication requests are triggered is client01 for these test users now that you have found your locked out ad users you can use unlock ad command to unlock the ad users which are currently locked if you would like to unlock the accounts you can run search ad account minus locked out pipe unlock 80 account press enter and this will unlock all accounts that are currently locked but if you would like to unlock only one account you can run unlock 80 account minus identity test user 2 and press enter one thing to note to run the Powershell command list that I've shown you you need to import the active directory Powershell modules by typing the command import module active directory press enter all right this is how you find the laptop user accounts in active directory using Powershell I hope you find this video useful for more videos like these please subscribe to my channel

Info

Channel: vCloudBitsBytes

Views: 3,811

Rating: undefined out of 5

Keywords: vcloudbitsbytes, lifemusictech, PowerShell, Active Directory, Windows Server, User Account Lockout, Troubleshooting, PDC Emulator Role, Event Viewer, Event Log, Unlock-ADAccount, Search-AdAccount, 4740, Get-WinEvent, Get-ADDomain, PDCe, FilterHastTable, Security Logs, Event ID 4740, LockedOut, Locked out, User Accoutns, windows server, azure

Id: KyX3l1GKAPw

Channel Id: undefined

Length: 4min 50sec (290 seconds)

Published: Thu Jun 29 2023