Active Directory account lockouts can be hugely problematic for organizations. There have been documented instances of attackers leveraging the account lockout feature in a type of denial of service attack. By intentionally entering numerous bad passwords, attackers can theoretically lock all of the users out of their accounts.
But what do you do if you are experiencing problems with account lockouts?
The Windows operating system is somewhat limited in its ability to troubleshoot account lockouts, but there are some things that you can do. For example, you can use Windows PowerShell to determine which accounts have been locked out. The command for doing so is:
Search-ADAccount -LockedOut -UsersOnly | Select-Object Name, SamAccountName
Incidentally, the UsersOnly parameter prevents computer objects from being included in the results, while the Select-Object command filters the results list to display only the user’s name and their account name.
If you find that accounts have been…