Lock Active Directory User Account - PowerShell

In this post, I describe how you can lock an Active Directory User Account using PowerShell.


As far as I can tell, it's not possible to lock an Active Directory User Account in the Active Directory management tools UI (Active Directory Users and Computers).  However, sometimes it's necessary to lock an account, for example, if you are testing a tool which unlocks an account, such as XIA Automation.


Locking an Active Directory User Account

To lock an Active Directory User Account in PowerShell, we can write a simple script.


Firstly, we get the account lockout threshold from group policy:

$AccountLockoutThreshold = ((([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
            Where-Object name -eq LockoutBadCount).SettingNumber)

You could also just hard code this if you know the value:

$AccountLockoutThreshold = 5


Next, we need to specify the user account we want to lock, and provide an incorrect password:

$username = "howardsimpson"

$password = ConvertTo-SecureString 'incorrect password' -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential ($username, $password)    


Finally, we then need to loop through a login attempt using those credentials until the account lockout threshold has been reached:

$attempts = 0

Do {                         

    $attempts++

    Write-Output "'$username' login attempt $attempts"

    Enter-PSSession -ComputerName 2K19-DC -Credential $credential -ErrorAction SilentlyContinue           

}

Until ($attempts -eq $AccountLockoutThreshold)


Script to lock an Active Directory User Account

Here is the complete script:

$AccountLockoutThreshold = ((([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
            Where-Object name -eq LockoutBadCount).SettingNumber)

if (!$AccountLockoutThreshold) { Write-Output "Account Lockout Threshold is Not Defined in Default Domain Policy"; return; }

Write-Output "Account will lock out after '$AccountLockoutThreshold' invalid login attempts"

$username = "howardsimpson"

$password = ConvertTo-SecureString 'incorrect password' -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential ($username, $password)   

$attempts = 0

Do {                         

    $attempts++

    Write-Output "'$username' login attempt $attempts"

    Enter-PSSession -ComputerName 2K19-DC -Credential $credential -ErrorAction SilentlyContinue           

}

Until ($attempts -eq $AccountLockoutThreshold)

Write-Output "'$username' successfully locked out." 

The output should look like this:

Lock Active Directory User Account PowerShell script output

Research source: https://mikefrobbins.com/2013/11/28/lock-out-active-directory-user-accounts-with-powershell/

Comments

Popular posts from this blog

LG TV This app will now restart to free up more memory

LG TV Clear All Browsing History Data

Excel Import CSV not using "Use First Row as Headers"