Lock Active Directory User Account - PowerShell
In this post, I describe how you can lock an Active Directory User Account using PowerShell.
As far as I can tell, it's not possible to lock an Active Directory User Account in the Active Directory management tools UI (Active Directory Users and Computers). However, sometimes it's necessary to lock an account, for example, if you are testing a tool which unlocks an account, such as XIA Automation.
Locking an Active Directory User Account
To lock an Active Directory User Account in PowerShell, we can write a simple script.
Firstly, we get the account lockout threshold from group policy:
$AccountLockoutThreshold = ((([xml](Get-GPOReport -Name "Default
Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
Where-Object name -eq LockoutBadCount).SettingNumber)
You could also just hard code this if you know the value:
$AccountLockoutThreshold = 5
Next, we need to specify the user account we want to lock, and provide an incorrect password:
$username = "howardsimpson"
$password = ConvertTo-SecureString 'incorrect
password' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $password)
Finally, we then need to loop through a login attempt using those credentials until the account lockout threshold has been reached:
$attempts = 0
Do
{
$attempts++
Write-Output "'$username' login
attempt $attempts"
Enter-PSSession -ComputerName 2K19-DC -Credential $credential -ErrorAction SilentlyContinue
}
Until ($attempts -eq $AccountLockoutThreshold)
Script to lock an Active Directory User Account
Here is the complete script:
$AccountLockoutThreshold = ((([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
Where-Object name -eq LockoutBadCount).SettingNumber)
if (!$AccountLockoutThreshold) { Write-Output "Account Lockout Threshold is Not Defined in Default Domain Policy"; return; }
Write-Output "Account will lock out after '$AccountLockoutThreshold' invalid login attempts"
$username = "howardsimpson"
$password = ConvertTo-SecureString 'incorrect
password' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $password)
$attempts = 0
Do {
$attempts++
Write-Output "'$username' login
attempt $attempts"
Enter-PSSession -ComputerName 2K19-DC -Credential $credential -ErrorAction SilentlyContinue
}
Until ($attempts -eq $AccountLockoutThreshold)
Write-Output "'$username' successfully locked out."
Research source: https://mikefrobbins.com/2013/11/28/lock-out-active-directory-user-accounts-with-powershell/
Comments
Post a Comment