[Solved] How to find Active Directory account lockout source using PowerShell

Problem

As an IT support specialist, you may have encountered instances where user accounts are frequently locked out. Identifying the root cause of these lockouts can occasionally be challenging.

Here are some of the reasons

1. Incorrect Passwords: Users entering incorrect passwords multiple times can trigger an account lockout, especially if there’s a policy in place to lock accounts after a certain number of failed login attempts.
2. Expired Passwords: If there’s a password expiration policy, users may forget to update their passwords, leading to account lockouts.
3. Stale Credentials: Cached credentials on a device might become outdated or incorrect, causing the account to be locked out when the system attempts to use them.
4. Multiple Devices: If a user is logged in on multiple devices and changes the password on one device, the other devices may still be using the old credentials, leading to lockouts.
5. Service Accounts: Accounts used by services or applications with stored credentials may cause lockouts if the password is changed without updating the corresponding configurations.
6. Mobile Devices: Mobile devices with email or other applications configured to use an account might attempt to authenticate with outdated credentials.
7. Mapped Drives or Network Shares: Persistent connections using outdated credentials can lead to account lockouts.
8. Security Policies: Group policies or security settings enforcing account lockout after a certain number of failed attempts can trigger lockouts.
9. Brute Force Attacks: Repeated, automated login attempts by malicious actors trying to guess the password can lead to lockouts.
10. User Error: Users might inadvertently lock themselves out by entering the wrong password or making other authentication errors.
11. Active Directory Replication Issues: If there are delays or issues in replicating account information across domain controllers, it could result in lockout problems.

Solution

Here is a PowerShell script that another user can execute to identify the source of an account lockout. To use this script, you need to add the username in the ‘$identity = “username”‘ section. Once executed, the script will reveal the origin of the lockout

#script to find what computer is locking out an account

#enter username in $identity

#needs to be run from an AD-Joined machine like a Dedicated VM or DC

 

$identity = "username"

$DCCounter = 0 

$LockedOutStats = @()   

Import-Module ActiveDirectory -ErrorAction Stop

#Get all domain controllers in domain

        $DomainControllers = Get-ADDomainController -Filter *

        $PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})

         

        Write-Verbose "Finding the domain controllers in the domain"

        Foreach($DC in $DomainControllers)

        {

            $DCCounter++

            Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)

            Try

            {

                $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut -ErrorAction Stop

            }

            Catch

            {

                Write-Warning $_

                Continue

            }

            If($UserInfo.LastBadPasswordAttempt)

            {    

                $LockedOutStats += New-Object -TypeName PSObject -Property @{

                        Name                   = $UserInfo.SamAccountName

                        SID                    = $UserInfo.SID.Value

                        LockedOut              = $UserInfo.LockedOut

                        BadPwdCount            = $UserInfo.BadPwdCount

                        BadPasswordTime        = $UserInfo.BadPasswordTime            

                        DomainController       = $DC.Hostname

                        AccountLockoutTime     = $UserInfo.AccountLockoutTime

                        LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()

                    }          

            }#end if

        }#end foreach DCs

        $LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize

 

        #Get User Info

        Try

        {  

           Write-Verbose "Querying event log on $($PDCEmulator.HostName)"

           $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending

        }

        Catch 

        {          

           Write-Warning $_

           Continue

        }#end catch     

                                  

        Foreach($Event in $LockedOutEvents)

        {            

           If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})

           { 

               

              $Event | Select-Object -Property @(

                @{Label = 'User';               Expression = {$_.Properties[0].Value}}

                @{Label = 'DomainController';   Expression = {$_.MachineName}}

                @{Label = 'EventId';            Expression = {$_.Id}}

                @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}

                @{Label = 'Message';            Expression = {$_.Message -split "`r" | Select -First 1}}

                @{Label = 'LockedOutLocation';  Expression = {$_.Properties[1].Value}}

              )

                                                 

            }#end ifevent

             

       }#end foreach lockedout event