# Get List of Locked Out Users and their Clients and Kill the Sessions ### Get List of Locked Out Users Download the [Get-LockedOutUser.ps1](https://docs.deeztek.com/attachments/1) script and run it in an administrator powershell prompt: ``` PS C:\Tools> .\Get-LockedOutUser.ps1 ``` In the **Security Warning**, click on **Run once** (**Figure 1**): **Figure 1** [![image-1611759567377.png](https://docs.deeztek.com/uploads/images/gallery/2021-01/scaled-1680-/image-1611759567377.png)](https://docs.deeztek.com/uploads/images/gallery/2021-01/image-1611759567377.png) In the **cmdlet Get-Credential at command pipeline** prompt, supply Administrator credentials (**Figure 2**): **Figure 2** [![image-1611759668003.png](https://docs.deeztek.com/uploads/images/gallery/2021-01/scaled-1680-/image-1611759668003.png)](https://docs.deeztek.com/uploads/images/gallery/2021-01/image-1611759668003.png) Wait for a bit while it parses the domain controller logs and you should see an output similar to below where the **UserName** field reflects the locked out username and the **ClientName** field reflects the client machine the lockout was generated: ``` TimeCreated UserName ClientName ----------- -------- ---------- 1/27/2021 9:15:39 AM user1 wkstation1 1/27/2021 8:20:47 AM user2 wkstation25 1/27/2021 8:15:27 AM user3 wkstation11 ``` ### Kill the Sessions From a administrator command prompt, get the session ID of the logged in user from the machine name from the powershell output above by using **qwinsta** to query the user session on the client machine you wish to kill the session from: ``` qwinsta /server:wkstation1 ``` You should get an output similar to below: ``` SESSIONNAME USERNAME ID STATE TYPE DEVICE services 0 Disc console user1 1 Disc rdp-tcp 65536 Listen ``` If we were to kill the session for **user1**, then the session ID would be **1**. We can kill the session by using **rwinsta**: ``` rwinsta 1 /server:wkstation1 ```