Posted by Will Stocks in Guides, Snippets, Sys Admin on Feb 15, 2017

This one is a very short, but sweet, guide to finding all locked out AD User accounts. These few simple commands have saved me a huge amount of time on more than one occasion!

To start with, you'll need to ensure you've imported the Active Directory module. This may take a minute, but bear with it!

Import-module ActiveDirectory

Once the module is imported, you'll then need to run the Search-ADAccount command, which will then list all locked out User accounts.

Search-ADAccount –LockedOut

Which will give you the following output (example):

PS C:\Users\Admin> Import-Module ActiveDirectory
PS C:\Users\Admin> Search-ADAccount -LockedOut

AccountExpiration    : 
DistinguishedName    : CN=Test User,OU=TestOU,DC=TestDomain,DC=com
Enabled              : True
LastLogonDate        : 01/01/1970 09:00:00
LockedOut            : True
Name                 : Test User
ObjectClass          : User
ObjectGUID           :
PasswordExpired      : False
PasswordNeverExpires : False
SamAccountName       : TestUser
SID                  :
UserPrincipalName    : TestUser@TestDomain.com

PS C:\Users\Admin>

If you simply want to see the users name's for the locked out accounts, as opposed to more extensive details per account, you can run the following command:

Search-ADAccount –LockedOut | Select Name

From here, you have a couple of options. You can either open up ADUC and unlock the accounts manually, or you can run the following command (as long as you have the correct permissions to do so) to unlock the accounts simply and quickly:

Search-ADAccount -LockedOut | Unlock-ADAccount -Confirm

Please note: I ALWAYS use the -Confirm parameter when running this command, which prompts you per account to interact with the command. If you do not include the -Confirm parameter in the above command, all accounts will be unlocked with no interaction.

You will be provided with a few input options here. You can either hit enter one-by-one, or you can input the following letters:

  • Y - Yes (one-by-one)
  • A - Yes to All
  • N - No (one-by-one)
  • L - No to All
  • S - Suspend
  • ? - Help

Once you've completed this step, I'd highly advise you run the Search-ADAccount command again to ensure the accounts have actually unlocked!

Hopefully these commands will prove useful and will save you some time! If you have any useful commands, let me know down below :)