Finding the source of AD user account lockouts using PowerShell

For today's short article, I wanted to share a very crude, simple script I use to find the source of Active Directory user account lockouts. Sometimes, a user is constantly being locked out in AD with no explanation. It can be very frustrating not only for the user, but also for the helpdesk personnel trying to assist the user.

In order for this to work, you'll need to have proper access/permissions in AD to run the query. You'll be querying the Primary Domain Controller in your domain. I use my Admin account to run this. Open your PowerShell console and run the following:

$pdc = (Get-ADDomain).PdcEmulator

Get-WinEvent -ComputerName "$pdc" -FilterHashtable @{Logname='Security';Id=4740} -MaxEvents 20 | Format-List Message,TimeCreated

What are we doing here? Well, it's simple really. The first part is getting the Primary Domain Controller for your domain and setting that server to the variable $pdc. In the next part, we're using that same variable to query the Windows Event Log for a specific event - when a user account is locked out, it is reported to the Primary Domain Controller and stored as an event. All we're doing is returning only those events, only the last 20 (you can change this), and only the Message and TimeCreated properties.

When you get the response, you'll notice that you get a lot of useful information. The most useful is the computer that is locking the user out and the username of the user being locked out.

Just a quick snippet, and I'm definitely not the first to do this. As always, there may be a better way, but this is how I do it!