0
0
PowershellHow-ToBeginner · 2 min read

PowerShell Script to Get Locked Out Users Easily

Use the PowerShell command Search-ADAccount -LockedOut to get a list of locked out users in Active Directory.
📋

Examples

InputNo locked out users
OutputNo results returned (empty list)
InputUsers locked out: user1, user2
Outputuser1 user2
InputLocked out user with special characters: user_test-01
Outputuser_test-01
🧠

How to Think About It

To find locked out users, you need to query Active Directory for accounts flagged as locked. PowerShell provides a built-in cmdlet Search-ADAccount with the -LockedOut switch that filters these accounts easily.
📐

Algorithm

1
Import the Active Directory module.
2
Run the command to search for locked out accounts.
3
Filter the results to show only user accounts.
4
Display the usernames of locked out users.
💻

Code

powershell
Import-Module ActiveDirectory
$lockedUsers = Search-ADAccount -LockedOut -UsersOnly
foreach ($user in $lockedUsers) {
    Write-Output $user.SamAccountName
}
Output
user1 user2 user_test-01
🔍

Dry Run

Let's trace the script when there are two locked out users: user1 and user2.

1

Import Active Directory Module

Module ActiveDirectory loaded.

2

Search for Locked Out Users

Search-ADAccount returns two user objects: user1 and user2.

3

Output Usernames

Outputs 'user1' and 'user2' to the console.

StepActionResult
1Import Active Directory ModuleModule loaded
2Search-ADAccount -LockedOut -UsersOnlyFound user1, user2
3Write-Output usernamesuser1 user2
💡

Why This Works

Step 1: Import Active Directory Module

The Import-Module ActiveDirectory command loads the tools needed to query AD.

Step 2: Search for Locked Out Users

The Search-ADAccount -LockedOut -UsersOnly command finds all user accounts currently locked out.

Step 3: Display Usernames

Looping through results and printing SamAccountName shows the locked out users' names.

🔄

Alternative Approaches

Using Get-ADUser with LDAP filter
powershell
Import-Module ActiveDirectory
$lockedUsers = Get-ADUser -LDAPFilter "(lockoutTime>=1)"
foreach ($user in $lockedUsers) {
    Write-Output $user.SamAccountName
}
This uses an LDAP filter to find locked accounts but is less straightforward than Search-ADAccount.
Using Quest AD cmdlets
powershell
Import-Module Quest.ActiveRoles.ADManagement
$lockedUsers = Get-QADUser -LockedOut
foreach ($user in $lockedUsers) {
    Write-Output $user.Name
}
Requires third-party Quest module; useful if native cmdlets are unavailable.

Complexity: O(n) time, O(n) space

Time Complexity

The script queries all locked out users, so time grows linearly with number of locked accounts.

Space Complexity

Stores the list of locked out users in memory, so space grows with number of locked accounts.

Which Approach is Fastest?

Using Search-ADAccount is optimized and faster than LDAP filters or third-party modules.

ApproachTimeSpaceBest For
Search-ADAccount -LockedOutO(n)O(n)Quick and native AD queries
Get-ADUser with LDAP filterO(n)O(n)Custom LDAP queries, flexible
Quest AD cmdletsO(n)O(n)Legacy environments without native module
💡
Run PowerShell as administrator and ensure you have Active Directory module installed before running the script.
⚠️
Forgetting to import the Active Directory module or running the script without proper permissions causes errors.

Related by keyword

How to Use Out-File in PowerShell: Save Output to Files EasilyFile OperationsPowerShell Script to Swap Two Numbers EasilyPowerShell Number ProgramsPowerShell Script to Extract Substring EasilyPowerShell String ProgramsPowerShell Script to Reverse a String EasilyPowerShell String ProgramsPowerShell Script to Merge Two Arrays EasilyPowerShell Array Programs

Up next

PowerShell Script to Test Network Connectivity QuicklyPowerShell Script to Uninstall Software Easily

More in PowerShell Active Directory Programs

PowerShell Script to Add User to Group EasilyPowerShell Script to Create Bulk Users from CSV FilePowerShell Script to Export AD Users to CSV FilePowerShell Script to Find Inactive AD Accounts Quickly