Find AD Account Lockout Policy using Powershell

In this article, I am going to explain about how to find and read the settings of account lockout policy in current Active Directory domain by using Powershell.

Summary

# Method 1 : Get-ADDefaultDomainPasswordPolicy

We can use the Active Directory powershell cmdet Get-ADDefaultDomainPasswordPolicy to gets the account lockout policy settings for an Active Directory domain. Before proceed, run the below command to import the Active Directory module.

Import-Module ActiveDirectory

The below command get the default account lockout policy from current logged on user domain.

Get-ADDefaultDomainPasswordPolicy | Select LockoutDuration,LockoutObservationWindow,`
LockoutThreshold | FL

This command returns the following results (LockoutDuration,LockoutObservationWindow and LockoutThreshold).

PS C:> Get-ADDefaultDomainPasswordPolicy | Select LockoutDuration,LockoutObservationWindow,`
LockoutThreshold | FL

LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 6

# Method 2 : Get-ADObject

We can also use Get-ADObject to retrieve account lockout policy associated properties from the domain naming context (defaultNamingContext).

$RootDSE = Get-ADRootDSE
$AccountPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property lockoutDuration,`
                 lockoutObservationWindow, lockoutThreshold 
$AccountPolicy | Select Name,`
  @{n="Lockout duration";e={"$($_.lockoutDuration / -600000000) minutes"}},`
  @{n="Reset lockout counter";e={"$($_.lockoutObservationWindow / -600000000) minutes"}},`
  @{n="Lockout Threshold";e={"$($_.lockoutThreshold) invalid logon attempts"}} | FL

The above command returns the following results (Lockout duration, Reset lockout counter and Lockout Threshold).

Name                  : contoso
Lockout duration      : 30 minutes
Reset lockout counter : 30 minutes
Lockout Threshold     : 6 invalid logon attempts

# Method 3 : net accounts

We can also use the following net command to look at the account lockout policy details.

net accounts

This command returns the following results (Lockout duration (minutes), Lockout observation window (minutes) and Lockout threshold).

PS C:> net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          42
Minimum password length:                              7
Length of password history maintained:                24
Lockout threshold:                                    6
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.

Advertisement

Leave a Comment