Active Directory Lockout Source Reporting with PowerShell

Overview

Account lockouts in Active Directory are one of the most common operational pain points in enterprise environments.

They are typically caused by cached credentials, legacy systems, services running under outdated passwords, scheduled tasks, mapped drives, mobile devices with stale credentials, or malicious brute-force attempts.

Identifying the locked-out account is straightforward. Identifying the machine or process responsible for the lockout usually takes more time. This script automates that workflow and turns manual Event Viewer investigation into a repeatable report.

What This Script Does

This automation discovers the PDC Emulator, retrieves all currently locked-out users, queries Security Event ID 4740, extracts the caller computer, generates reports, copies them to a shared location, sends an email summary, and logs the execution duration.

The output includes a TXT list of locked users, a CSV report of users and source hosts, and a clean HTML report sorted by username.

Operational Use Case

This is useful for scheduled daily lockout reporting, service account monitoring, password spray detection, recurring workstation misconfiguration analysis, and helpdesk investigations.

Instead of logging into a Domain Controller, opening Event Viewer, filtering Security logs, and manually correlating users to machines, the report can run unattended as a scheduled task.

Important Notes Before Running

Event ID 4740 is the account lockout event, and its additional information includes the caller computer name. The PDC Emulator is important because account lockout processing is centered there, but in complex environments you may still need to inspect other Domain Controllers if the caller is blank or points to another DC.

Also make sure your Domain Controllers are auditing account management events. Without the right audit policy, the script cannot report what was never logged.

PowerShell Script

The full PowerShell script is maintained on GitHub so it can be updated, versioned, and downloaded directly.

# Quick usage

# 1. Review and update these values inside the script:
#    - TempPath
#    - SharedPath
#    - SMTP server
#    - Sender and recipient addresses

# 2. Run from a secured admin host or Domain Controller
#    with permissions to query AD and read the PDC Security log.

# 3. Recommended execution:
powershell.exe -ExecutionPolicy Bypass -File .\Get-AccountLockoutReport.ps1

How to Read the Report

The TXT file shows the currently locked-out accounts. The CSV file gives you structured data for filtering and sorting. The HTML report gives a cleaner view for helpdesk or operations teams.

The most important column is Source Host. That is the machine name recorded in the lockout event. Start your investigation there by checking services, scheduled tasks, saved credentials, mapped drives, mobile mail profiles, and applications using stale passwords.

Limitations

Event ID 4740 is extremely useful, but it is not perfect. Sometimes the caller computer can be blank, or it can show a Domain Controller instead of the original workstation. In those cases, investigate related authentication events such as 4771 for Kerberos failures and 4776 for NTLM authentication.

Also remember that this script reports what exists in the configured event time window. If the Security log rolled over or the lockout happened outside the lookback window, the report may not include it.

Final Thoughts

Account lockout troubleshooting becomes much easier when the investigation starts with the source machine instead of only the locked account. This script gives administrators a repeatable way to capture that information and share it with the right team quickly.