Skip to main content

Get List of Locked Out Users and their Clients and Kill the Sessions

Get List of Locked Out Users

Download the Get-LockedOutUser.ps1 script and run it in an administrator powershell prompt:

PS C:\Tools> .\Get-LockedOutUser.ps1

In the Security Warning, click on Run once (Figure 1):

Figure 1

image-1611759567377.png

In the cmdlet Get-Credential at command pipeline prompt, supply Administrator credentials (Figure 2):

Figure 2

image-1611759668003.png

Wait for a bit while it parses the domain controller logs and you should see an output similar to below where the UserName field reflects the locked out username and the ClientName field reflects the client machine the lockout was generated:

TimeCreated          UserName        ClientName
-----------          --------        ----------
1/27/2021 9:15:39 AM user1			 wkstation1  
1/27/2021 8:20:47 AM user2		     wkstation25  
1/27/2021 8:15:27 AM user3 			 wkstation11 

Kill the Sessions

From a administrator command prompt, get the session ID of the logged in user from the machine name from the powershell output above by using qwinsta to query the user session on the client machine you wish to kill the session from:

qwinsta /server:wkstation1

You should get an output similar to below:

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console           user1	                 1  Disc
 rdp-tcp                                 65536  Listen

If we were to kill the session for user1, then the session ID would be 1. We can kill the session by using rwinsta:

rwinsta 1 /server:wkstation1