PowerShell · AD Lockouts

Active Directory Lockout Source Reporting with PowerShell

A practical PowerShell automation for reporting locked-out Active Directory users, identifying the source machine from Event ID 4740, generating CSV and HTML reports, and sending the results to administrators.

By K Shankar R Karanth PowerShell Scripts Troubleshooting Script

Quick idea: Finding who is locked out is easy. Finding which workstation, service, scheduled task, or cached credential caused the lockout is where this script saves time.

PDC

Discovers the Primary Domain Controller Emulator and queries its Security event log.

Event 4740

Reads account lockout events and extracts the user and caller computer details.

Reports

Creates TXT, CSV, and HTML outputs, copies them to a share, and emails the result.

Overview

Account lockouts in Active Directory are one of the most common operational pain points in enterprise environments.

They are typically caused by cached credentials, legacy systems, services running under outdated passwords, scheduled tasks, mapped drives, mobile devices with stale credentials, or malicious brute-force attempts.

Identifying the locked-out account is straightforward. Identifying the machine or process responsible for the lockout usually takes more time. This script automates that workflow and turns manual Event Viewer investigation into a repeatable report.

What This Script Does

This automation discovers the PDC Emulator, retrieves all currently locked-out users, queries Security Event ID 4740, extracts the caller computer, generates reports, copies them to a shared location, sends an email summary, and logs the execution duration.

The output includes a TXT list of locked users, a CSV report of users and source hosts, and a clean HTML report sorted by username.

Operational Use Case

This is useful for scheduled daily lockout reporting, service account monitoring, password spray detection, recurring workstation misconfiguration analysis, and helpdesk investigations.

Instead of logging into a Domain Controller, opening Event Viewer, filtering Security logs, and manually correlating users to machines, the report can run unattended as a scheduled task.

Run requirement: Run this from a secured admin host or the PDC itself with rights to query Active Directory and read the PDC Security event log. Domain Admin works, but a delegated least-privilege account is better for production.

Important Notes Before Running

Event ID 4740 is the account lockout event, and its additional information includes the caller computer name. The PDC Emulator is important because account lockout processing is centered there, but in complex environments you may still need to inspect other Domain Controllers if the caller is blank or points to another DC.

Also make sure your Domain Controllers are auditing account management events. Without the right audit policy, the script cannot report what was never logged.

PowerShell Script

The full PowerShell script is maintained on GitHub so it can be updated, versioned, and downloaded directly.

Script location: View the Active Directory lockout source reporting script on GitHub

View Script on GitHub →

# Quick usage

# 1. Review and update these values inside the script:
#    - TempPath
#    - SharedPath
#    - SMTP server
#    - Sender and recipient addresses

# 2. Run from a secured admin host or Domain Controller
#    with permissions to query AD and read the PDC Security log.

# 3. Recommended execution:
powershell.exe -ExecutionPolicy Bypass -File .\Get-AccountLockoutReport.ps1

How to Read the Report

The TXT file shows the currently locked-out accounts. The CSV file gives you structured data for filtering and sorting. The HTML report gives a cleaner view for helpdesk or operations teams.

The most important column is Source Host. That is the machine name recorded in the lockout event. Start your investigation there by checking services, scheduled tasks, saved credentials, mapped drives, mobile mail profiles, and applications using stale passwords.

Limitations

Event ID 4740 is extremely useful, but it is not perfect. Sometimes the caller computer can be blank, or it can show a Domain Controller instead of the original workstation. In those cases, investigate related authentication events such as 4771 for Kerberos failures and 4776 for NTLM authentication.

Also remember that this script reports what exists in the configured event time window. If the Security log rolled over or the lockout happened outside the lookback window, the report may not include it.

Production note: Replace the SMTP server, sender, recipient, shared path, and retention window before scheduling this script. Also test it in a non-production OU or controlled admin environment first.

Final Thoughts

Account lockout troubleshooting becomes much easier when the investigation starts with the source machine instead of only the locked account. This script gives administrators a repeatable way to capture that information and share it with the right team quickly.

Key takeaway: Event ID 4740 tells you who was locked out and where the lockout came from. Automating that lookup turns a repetitive helpdesk task into a scheduled operational report.

Next in this series

Next, we can cover how to schedule this script with Task Scheduler, rotate old reports, and alert only when service accounts or privileged accounts are locked out.