SyntaxFix

[powershell] How can I verify if an AD account is locked?

I want to know if it is possible to verify if a specific AD account is locked.

The command Get-ADUser does not return this parameter :

 -------------------------- EXAMPLE 3 --------------------------

 Command Prompt: C:\PS>
 Get-ADUser GlenJohn -Properties * 


  - Surname : John 
  - Name : Glen John
  - UserPrincipalName : jglen
  - GivenName : Glen
  - Enabled : False
  - SamAccountName : GlenJohn
  - ObjectClass :
  - user SID :S-1-5-21-2889043008-4136710315-2444824263-3544
  - ObjectGUID :e1418d64-096c-4cb0-b903-ebb66562d99d
  - DistinguishedName : CN=Glen John,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM

 Description :
 -----------

 Get all properties of the user with samAccountName 'GlenJohn'.

 --------------------------END EXAMPLE --------------------------

Is there an other way to get this information ?

This question is related to powershell active-directory

The answer is

I found also this list of property flags: How to use the UserAccountControl flags

SCRIPT  0x0001  1
ACCOUNTDISABLE  0x0002  2
HOMEDIR_REQUIRED    0x0008  8
LOCKOUT 0x0010  16
PASSWD_NOTREQD  0x0020  32
PASSWD_CANT_CHANGE 0x0040   64
ENCRYPTED_TEXT_PWD_ALLOWED  0x0080  128
TEMP_DUPLICATE_ACCOUNT  0x0100  256
NORMAL_ACCOUNT  0x0200  512
INTERDOMAIN_TRUST_ACCOUNT   0x0800  2048
WORKSTATION_TRUST_ACCOUNT   0x1000  4096
SERVER_TRUST_ACCOUNT    0x2000  8192
DONT_EXPIRE_PASSWORD    0x10000 65536
MNS_LOGON_ACCOUNT   0x20000 131072
SMARTCARD_REQUIRED  0x40000 262144
TRUSTED_FOR_DELEGATION  0x80000 524288
NOT_DELEGATED   0x100000    1048576
USE_DES_KEY_ONLY    0x200000    2097152
DONT_REQ_PREAUTH    0x400000    4194304
PASSWORD_EXPIRED    0x800000    8388608
TRUSTED_TO_AUTH_FOR_DELEGATION  0x1000000   16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000      67108864

You must make a binary-AND of property userAccountControl with 0x002. In order to get all locked (i.e. disabled) accounts you can filter on this:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

For operator 1.2.840.113556.1.4.803 see LDAP Matching Rules

This ScriptingGuy guest post links to a script by a Microsoft Powershell Expert can help you find this information, but to fully audit why it was locked and which machine triggered the lock you probably need to turn on additional levels of auditing via GPO.

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content

Here's another one:

PS> Search-ADAccount -Locked | Select Name, LockedOut, LastLogonDate

Name                                       LockedOut LastLogonDate
----                                       --------- -------------
Yxxxxxxx                                        True 14/11/2014 10:19:20
Bxxxxxxx                                        True 18/11/2014 08:38:34
Administrator                                   True 03/11/2014 20:32:05

Other parameters worth mentioning:

Search-ADAccount -AccountExpired
Search-ADAccount -AccountDisabled
Search-ADAccount -AccountInactive

Get-Help Search-ADAccount -ShowWindow

If you want to check via command line , then use command "net user username /DOMAIN"

enter image description here

Source: Stackoverflow.com

Examples related to powershell

Why powershell does not run Angular commands? How do I install the Nuget provider for PowerShell on a unconnected machine so I can install a nuget package from the PS command line? How to print environment variables to the console in PowerShell? Check if a string is not NULL or EMPTY The term 'ng' is not recognized as the name of a cmdlet VSCode Change Default Terminal 'Connect-MsolService' is not recognized as the name of a cmdlet Powershell Invoke-WebRequest Fails with SSL/TLS Secure Channel Install-Module : The term 'Install-Module' is not recognized as the name of a cmdlet Change directory in PowerShell

Examples related to active-directory

Powershell: A positional parameter cannot be found that accepts argument "xxx" How to switch to another domain and get-aduser How can I verify if an AD account is locked? Powershell script to see currently logged in users (domain and machine) + status (active, idle, away) Querying Windows Active Directory server using ldapsearch from command line How to list AD group membership for AD users using input list? Import-Module : The specified module 'activedirectory' was not loaded because no valid module file was found in any module directory What are CN, OU, DC in an LDAP search? PowerShell script to return members of multiple security groups How do I get specific properties with Get-AdUser

Tags

For-comprehension Platypus Non-greedy Pyscripter Linker-scripts Linqtemplates Bag Choicefield Nhibernate-cascade Expected-exception Jks Photography Url-rewriting Video-streaming Solid-bodies Freeimage Loadmodule Time-management Z-index Device-manager Drools Data-generation Application-onerror Bridge Counting Heat Unison C++builder-5 Pixbuf Android-controls Novell-idm Mersenne-twister Suppress Helios Longest-substring Datapager Module-pattern Httplib Rokon Keypress Pygame Webmethod Chainable Raima Rcs Aabb Build-events Distributed-lock Sqr Cran Stackexchange Shibboleth Rinari Maturity Cyclomatic-complexity Llblgenpro Uipasteboard Adobe-analytics Clearcanvas Coda Gwt-animation Mysql-error-1111 Eps Force-download Pipe Information-visualization Regression Parsec Generic.xaml Document-body Isaserver Two-columns Responsetext Modifiers Jmenuitem Po-file Bulk-operations Attr Inner-exception Roulette-wheel-selection Offline-mode Interactive Nsdecimalnumber Libpqxx Re-engineering Jsonreader Event-dispatching Ex-mode Epic Mod-ldap Spim Document-oriented Xnu Dynamics-ax-2009 Lamson Templating-engine Mod-expires Reasoning Basichttpbinding Grid-system