How to Find Source Machine of Locked User Account in Active Directory using Powershell
One common thing we experience every once in a while is that users are getting continually locked out of their Active Directory account.
This can happen if one of their devices is trying to authenticate with an old password they recently changed.
Below powershell scripts can find the user where have been locked. You need run it on one of your domain controller.
You need to run this ps file as an administrator. I have added the command to elevate the administrator authorative.
–
param([switch]$Elevated)
function Test-Admin {
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
if ((Test-Admin) -eq $false) {
if ($elevated) {
# tried to elevate, did not work, aborting
} else {
Start-Process powershell.exe -Verb RunAs -ArgumentList (‘-noprofile -noexit -file “{0}” -elevated’ -f ($myinvocation.MyCommand.Definition))
}
exit
}
‘Running with Full Privileges’
$username = Read-Host “Please Enter User Name”
$pdcname=(get-addomain).PDCEmulator
$Date = (Get-Date).AddDays(-2)
Get-WinEvent -FilterHashtable @{
logname=’security’;id=4740;data=$username; StartTime=$Date} |`
Select-Object -Property timecreated,`
@{label=’User Name’;expression={$_.properties[0].value}},`
@{label=’Caller Computer Name’;expression={$_.properties[1].value}}
–
When you run the script, you will see below screen and write down the which one user want to look source of lock.

After you write it down you will see below screen and you will be able to see from which source of locked your users. That’ all!

Regards.
Bulent.