The System administrators are responsible for the proper function of the company’s networks and servers. Monitoring and diagnosing any sort of issues in the server infrastructure is one of their major tasks. One of such issues is the Active Directory account lockout. This happens when an account tries to sign into the network multiple times with an incorrect password.
To avoid these kinds of issues, the best way is to use an identity access and management (IAM) solution. However, for those who don’t have this or want a faster resolution, PowerShell can be a helpful tool to fix the Active Directory account lockouts. In this article, let’s look at how to use PowerShell to fix Active Directory account lockouts.
What Is Active Directory Account Lockout?
Active Directory is a Microsoft product that stores user information and other credentials, like passwords, and allows the authentication of the users. In the event of a wrong password entry, Active Directory account lockout occurs, which prevents the user from logging in and performing any other activities in the network.
When Should You Fix Active Directory Account Lockouts with PowerShell?
Active Directory Account Lockouts can be quite disruptive and can cause serious security threats. When such an issue arises, it is important to resolve the account lockout. There are a few scenarios when you should use PowerShell to fix the account lockout:
- When the issue is related to a user’s password and you need to reset it quickly.
- If you have to reset a single user’s account or multiple users’ accounts in bulk.
- When you have to check lockout status and the source of the account lockout.
- When the cause of lockout is not clear and you need the script to identify it quickly.
- When you want to audit a list of lockouts and users.
How to Fix Active Directory Account Lockouts with PowerShell
The most effective way to fix Active Directory account lockouts with PowerShell is to use the Get-ADAccountLockoutStatus cmdlet and the Unlock-ADAccount cmdlet. Here’s how you can use PowerShell to efficiently fix Active Directory account lockouts.
Step 1: Identify the Problematic Accounts
Before fixing the problem, the first step is to identify the accounts that are causing the lockout. You can use the Get-ADAccountLockoutStatus cmdlet for this. This cmdlet provides information about the accounts that are locked out due to wrong password entries. In the PowerShell console, use this command:
Get-ADAccountLockoutStatus -Identity <User/Group Name>
You can also use wildcards to search multiple users using this command:
Get-ADAccountLockoutStatus -Identity *
Step 2: Analyze the Lockouts
Once the accounts that are causing the lockout are identified, the next step is to analyze the lockout and then decide the direction to move ahead. To understand the source of the lockout, use this command:
Get-ADAccountLockoutStatus -Identity <User/Group Name> –all | select identity, lockouttime, lockedout, lastlockouttime
This command will give you detailed information about the user identity, lockout time, locked out status, and last lockout time. With this information, you can figure out the user identity, the factors that caused the lockout, and the last lockout time.
Step 3: Unlock the Account
Once you have identified the source of the lockout, use the Unlock-ADAccount cmdlet to unlock the account. This cmdlet can unlock a single or multiple user accounts. For a single user account, use this command:
Unlock-ADAccount –identity <user/group name>
To unlock multiple accounts in bulk, use this command:
Get-ADUser –filter * | Unlock-ADAccount
Once you run this command, the accounts will be unlocked.
Account lockouts can occur very frequently in networks and can disrupt the smooth functioning of the business operations. The best possible way to resolve the issue is to use an identity access management (IAM) solution. But for those who don’t use an IAM solution or want a quick resolution, PowerShell can be a great tool to identify and fix Active Directory account lockouts quickly.
In this article, we discussed a detailed step-by-step guide on how to fix Active Directory account lockouts using PowerShell. The Get-ADAccountLockoutStatus cmdlet is used to identify the problematic accounts, the Unlock-ADAccount cmdlet is used to unlock the accounts. We hope this article has been helpful in understanding how to fix Active Directory account lockouts using PowerShell and ensure a smooth running of the business operations.