How to I get the current Bad Password Count for each user?

Bad password attempts are recorded on each Domain Controller separately (depending on which is being used for authentication at the time).  So it’s possible for multiple domain controllers to have separate, different bad password attempt counts.

While each Domain Controller keeps the server with PDC Emulator FSMO role updated with its count (so that the account can be locked out if the maximum number is exceeded), the total is not easily tracked, so we have to query each domain controller separately for that number.

This PowerShell script (without modification) queries each domain controller and sums the number of bad password attempts.  A message is then displayed for each user who has a number of bad password attempts greater than 0.


The resulting output should look like this:



3 Comments How to I get the current Bad Password Count for each user?

  1. Ano

    I was using a similar approach to check an individual user’s badpwdcount but I found the numbers were fudged as the property isn’t replicated across Domain Controllers 🙁

    If you have an alternative approach that amalgamates the values from the different DCs I’d be in your debt.

    1. Bruce Tonge

      If you echo the username inside the users for loop and then echo the dc name and badpwdcount inside the dc for loop you get the badpwdcount for each dc for each user.

      # Import active directory modules
      import-module activedirectory;

      # Get all domain controllers
      $dcs = get-adcomputer -filter * -searchbase “ou=domain controllers,dc=kamal,dc=local”;

      # Get all users – change “-filter {enabled -eq $true}” to a username to get just one user
      $users = get-aduser -filter {enabled -eq $true} | sort name;

      # Loop through all users found
      foreach ($user in $users) {
      $userline = “Username: ” + $;
      write-host $userline;

      # Loop through each domain controller
      foreach ($dc in $dcs) {
      $newuser = get-aduser $user.samaccountname -server $ -properties badpwdcount;
      $dcline = $ + ” ” + $newuser.badpwdcount;
      write-host $dcline;

  2. Pingback: Troubleshoot locked out user in Active Directory – scribbleghost

Leave a Reply

Your email address will not be published. Required fields are marked *