![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
<\/h2>\n <\/h2>\nHey, Scripting Guy! I know we probably should not do this, but we have account lockout set at work. If a user types in too many bad passwords, they are locked out forever. It requires a call to the help desk to have their account unlocked. The problem is that some users who are shall we say \u201cless motivated\u201d simply refuse to work. They say it is a network problem, and they do not call the help desk. If the boss says anything to them, they say the network is not working, and then he calls. We need a script that will list all the locked-out user accounts in our domain. Can this be done?<\/p>\n
– TB<\/p>\n
![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
<\/p>\n
Hi TB,<\/p>\n
You know the danger of account lockout don\u2019t you? It makes for a very easy Denial of Service (DOS)<\/a> attack. Earlier this year we released the Windows 2008 Security Guide (available for download<\/a> or online browsing<\/a>). In it we recommend increasing the lockout threshold and setting moderate lockout duration. Then you monitor for suspicious activity. The idea is the lockout duration should be long enough to frustrate script kitties<\/a>, but not network administrators. You should also read this series of articles about passwords and pass phrases<\/a>. In the first two articles, Jesper Johansson talks about password strategies. In the last article, he talks about password policies which include, of course, account lockout policies. The articles make for interesting reading, and should frame an informed review of one\u2019s security policies. <\/p>\n By the way, here is a picture of a script kitty I took while visiting theWoodland Park Zoo<\/a> in Seattle, Washington, in the United States. We\u2019ll call him Get-Aslan:<\/p>\n <\/p>\n To search for locked-out user accounts, you need to first query Active Directory Directory Services (AD DS) for user accounts. Then go through the user accounts querying the IsAccountLocked<\/b> property, and print out the distinguishedName<\/b> attribute of the user. Here is a VBScript script that accomplishes a similar task <\/a>. Here is the script written in Windows PowerShell (if you are unfamiliar with Windows PowerShell, you may want to check out our Windows PowerShell Owner\u2019s Manual<\/a>):<\/p>\n The script begins by creating an instance of the DirectoryServices.DirectorySearcher<\/b> .NET Framework class. We use the New-Object<\/b> cmdlet to create the DirectorySearcher<\/b>. This allows us to search AD DS. Our constructor tells the DirectorySearcher<\/b> we wish to search rootdse<\/b> using the LDAP protocol. <\/p>\n Keep in mind that LDAP must be in all caps. It is one of the few things that is case sensitive: <\/p>\n Next we specify the filter to use with the DirectorySearcher<\/b>. We use ObjectCategory<\/b>, which is the name of an attribute in AD DS, and we filter out if the ObjectCategory<\/b> has a value of user<\/b>. This is seen here: <\/p>\n We use the findall<\/b> method to return all the user objects, and then we pipeline the user objects to the Foreach-Object<\/b> cmdlet. This is seen here: <\/p>\n The ForEach-Object<\/b> allows us to work through all the user objects as they come across the pipeline. We use the backtick to continue the command to the next line: <\/p>\n We begin by specifying an action for the -begin<\/b> parameter. This code will be executed once within the entire ForEach-Object<\/b> cmdlet. We print out a message that says \u201cLocating locked out User accounts,\u201d and we initialize the $userCount<\/b> variable to 0<\/b>. This is seen here: <\/p>\n The process<\/b> parameter is used to perform an action on each object that comes across the pipeline. We use the [adsi]<\/b> type accelerator and give it the path of the SearchResult<\/b> object. This gives us a DirectoryEntry<\/b> object. We use the psbase<\/b> property to gain access to the invokeGet<\/b> method, which retrieves the IsAccountLocked<\/b> property. If this value is true, we :<\/p>\n The ending of our script prints out the count of the number of locked-out accounts. This is seen here:<\/p>\n![\"Image](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/qanda\/hsg\/hey1120\/hsg_lockedout1.jpg\")
<\/p>\n$adsiSearcher = New-Object DirectoryServices.DirectorySearcher(\"LDAP:\/\/rootdse\")\n$adsiSearcher.filter = \"ObjectCategory=User\"\n$adsiSearcher.findAll() | \nForEach-Object `\n -Begin `\n { \n \"Locating locked out User accounts ...\" \n $UserCount = 0\n } `\n -Process `\n {\n If( ([adsi]$_.path).psbase.invokeGet(\"IsAccountLocked\") )\n {\n ([adsi]$_.path).DistinguishedName + \" is locked out\"\n $UserCount ++\n }\n } `\n -End `\n {\n \"There were $userCount locked out User Accounts.\"\n }\n<\/pre>\n$adsiSearcher = New-Object DirectoryServices.DirectorySearcher(\"LDAP:\/\/rootdse\")<\/pre>\n
$adsiSearcher.filter = \"ObjectCategory=User\"<\/pre>\n
$adsiSearcher.findAll() |<\/pre>\n
ForEach-Object `<\/pre>\n
-Begin `\n{ \n \"Locating locked out User accounts ...\" \n $UserCount = 0\n } `\n<\/pre>\n-Process `\n {\n If( ([adsi]$_.path).psbase.invokeGet(\"IsAccountLocked\") )\n {\n ([adsi]$_.path).DistinguishedName + \" is locked out\"\n $UserCount ++\n }\n } `\n<\/pre>\n-End `\n {\n \"There were $userCount locked out User Accounts.\"\n }\n<\/pre>\n