How to Check if a User Account is Locked in PowerShell

If you’re managing Windows servers or Active Directory, you’ve probably dealt with locked user accounts at some point. Maybe someone forgot their password and tried too many times, or maybe you just need to check the status of accounts across your network.

Today, I’m going to show you exactly how to check if an account is locked using PowerShell.

Accounts typically get locked when:

Someone enters the wrong password too many times
An old password is saved in a service or scheduled task
A mobile device is trying to authenticate with an expired password
Someone’s mapped network drives are using old credentials

Windows has a security policy that automatically locks accounts after a certain number of failed login attempts. It’s annoying when it happens to you, but it actually protects your network from brute-force attacks.

Before we start, make sure you have:

PowerShell installed (it comes with Windows, so you’re probably good)
Active Directory module for PowerShell
Appropriate permissions (you’ll need at least read access to Active Directory)

If you’re working with domain accounts, you’ll need the Active Directory module. For local accounts, regular PowerShell works just fine.

Table of Contents

Check if a Domain Account is Locked using PowerShell

Let me start with the most common scenario – checking domain user accounts.

The Basic Command

Here’s the simplest way to check if a specific user account is locked:

Get-ADUser -Identity username -Properties LockedOut | Select-Object Name, LockedOut

Just replace “username” with the actual username you want to check. This command will return either True or False.

For example:

Get-ADUser -Identity john.doe -Properties LockedOut | Select-Object Name, LockedOut

The output will look something like:

Name         LockedOut
----         ---------
John Doe     True

Getting More Details

Sometimes you need more than just a yes or no answer. You might want to know when the account was locked, or see the lockout time.

Here’s a more detailed command:

Get-ADUser -Identity username -Properties LockedOut, LockoutTime, BadPwdCount | Select-Object Name, LockedOut, LockoutTime, BadPwdCount

This gives you:

Name: The user’s display name
LockedOut: Whether the account is currently locked (True/False)
LockoutTime: When the account was locked
BadPwdCount: How many bad password attempts happened

Making It More Readable

The LockoutTime comes back in a weird format that’s hard to read. Let’s fix that:

$user = Get-ADUser -Identity username -Properties LockedOut, LockoutTime, BadPwdCount
[PSCustomObject]@{
    Name = $user.Name
    LockedOut = $user.LockedOut
    LockoutTime = [DateTime]::FromFileTime($user.LockoutTime)
    BadPasswordCount = $user.BadPwdCount
}

Now you’ll see the lockout time in a normal date/time format that actually makes sense.

Check out Find and Remove Stale Computer Objects in Active Directory with PowerShell

Check Multiple Accounts at Once

What if you need to check several accounts? You don’t want to run the same command over and over.

Here’s how to check multiple specific users:

$users = "john.doe", "jane.smith", "bob.jones"
foreach ($user in $users) {
    Get-ADUser -Identity $user -Properties LockedOut | Select-Object Name, LockedOut
}

Or, if you want to check ALL locked accounts in your domain:

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut

This command is super useful because it only shows you accounts that are actually locked. You’re not wading through hundreds of unlocked accounts.

Find Which Domain Controller Locked the Account

Here’s something really helpful – figuring out which domain controller registered the lockout. This helps you track down where the bad password attempts are coming from.

$user = "username"
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    $lockouts = Get-WinEvent -ComputerName $DC.HostName -FilterHashtable @{LogName='Security';Id=4740} -MaxEvents 10 -ErrorAction SilentlyContinue | Where-Object {$_.Properties[0].Value -eq $user}
    if ($lockouts) {
        $lockouts | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[0].Value}}, @{Name='DomainController';Expression={$DC.HostName}}
    }
}

This script loops through all domain controllers and checks their security event logs for Event ID 4740 (account lockout events).

Check Local User Accounts

Not everyone works with Active Directory. If you need to check local accounts on a Windows machine, here’s what you do:

Get-LocalUser -Name username | Select-Object Name, Enabled, LockedOut

For all local users:

Get-LocalUser | Select-Object Name, Enabled, LockedOut

Pretty straightforward, right?

Read Find the Most Recent File in a Directory with PowerShell

Create a Reusable Function

If you’re checking locked accounts regularly, create a function you can reuse. Here’s one I use:

function Check-LockedAccount {
    param(
        [Parameter(Mandatory=$true)]
        [string]$Username
    )

    try {
        $user = Get-ADUser -Identity $Username -Properties LockedOut, LockoutTime, BadPwdCount -ErrorAction Stop

        if ($user.LockedOut) {
            Write-Host "$($user.Name) is LOCKED" -ForegroundColor Red
            Write-Host "Lockout Time: $([DateTime]::FromFileTime($user.LockoutTime))"
            Write-Host "Bad Password Attempts: $($user.BadPwdCount)"
        } else {
            Write-Host "$($user.Name) is NOT locked" -ForegroundColor Green
        }
    } catch {
        Write-Host "Error: Could not find user $Username" -ForegroundColor Yellow
    }
}

Save this in your PowerShell profile, and you can just type:

Check-LockedAccount -Username john.doe

Much easier!

Check out How to Keep Your Screen Active with a PowerShell Script?

Common Issues and How to Fix Them

“The term ‘Get-ADUser’ is not recognized”

This means you don’t have the Active Directory module installed. Fix it by running:

Import-Module ActiveDirectory

If that doesn’t work, you need to install the RSAT tools for your Windows version.

Access Denied Errors

You need proper permissions to query Active Directory. Talk to your domain admin if you’re getting access denied messages.

The Command Returns Nothing

Make sure you’re spelling the username correctly. Active Directory is case-insensitive, but typos will get you nowhere.

Unlocking an Account (Bonus Tip)

Since you’re here learning about checking locked accounts, let me quickly show you how to unlock one too:

Unlock-ADAccount -Identity username

That’s it. Simple and clean.

For local accounts:

Get-LocalUser -Name username | Set-LocalUser -AccountExpires ([datetime]::MaxValue)

Actually, for local accounts, you’ll need to use:

net user username /active:yes

Check out Kill a Process If It Is Running in PowerShell

Putting It All Together

Here’s a complete script that checks an account and gives you all the useful information:

$username = Read-Host "Enter username to check"

try {
    $user = Get-ADUser -Identity $username -Properties LockedOut, LockoutTime, BadPwdCount, Enabled, LastLogonDate

    Write-Host "`nAccount Status for: $($user.Name)" -ForegroundColor Cyan
    Write-Host "================================"
    Write-Host "Username: $($user.SamAccountName)"
    Write-Host "Enabled: $($user.Enabled)"
    Write-Host "Locked Out: $($user.LockedOut)"

    if ($user.LockoutTime -gt 0) {
        Write-Host "Lockout Time: $([DateTime]::FromFileTime($user.LockoutTime))"
    }

    Write-Host "Bad Password Count: $($user.BadPwdCount)"
    Write-Host "Last Logon: $($user.LastLogonDate)"

} catch {
    Write-Host "Error: $($_.Exception.Message)" -ForegroundColor Red
}

This gives you a nice, formatted report that’s easy to read.

Quick Reference

Here’s a cheat sheet you can bookmark:

Check single domain account:

Get-ADUser username -Properties LockedOut | Select Name, LockedOut

Find all locked accounts:

Search-ADAccount -LockedOut

Check local account:

Get-LocalUser username | Select Name, LockedOut

Unlock domain account:

Unlock-ADAccount username

Wrapping Up

Checking locked accounts in PowerShell really isn’t complicated once you know the right commands. The key is understanding what information you need and using the appropriate cmdlet.

Start with the basic commands, get comfortable with them, then move on to the more advanced stuff like checking event logs on domain controllers.

Remember, locked accounts are usually symptoms of a bigger issue – like saved credentials somewhere that need updating. Don’t just unlock and move on. Figure out what’s causing the lockouts in the first place.

Keep this guide handy, practice the commands, and you’ll be handling account lockouts like a pro in no time.

Got questions? Let me know in the comment below, I will answer you.