How can I verify if an AD account is locked

Question

I want to know if it is possible to verify if a specific AD account is locked    The command Get-ADUser does not return this parameter     -------------------------- EXAMPLE 3 --------------------------   Command Prompt  C  PS   Get-ADUser GlenJohn -Properties        - Surname   John    - Name   Glen John   - UserPrincipalName   jglen   - GivenName   Glen   - Enabled   False   - SamAccountName   GlenJohn   - ObjectClass     - user SID  S-1-5-21-2889043008-4136710315-2444824263-3544   - ObjectGUID  e1418d64-096c-4cb0-b903-ebb66562d99d   - DistinguishedName   CN Glen John OU NorthAmerica OU Sales OU UserAccounts DC FABRIKAM DC COM   Description    -----------   Get all properties of the user with samAccountName  GlenJohn     --------------------------END EXAMPLE --------------------------  Is there an other way to get this information

User · Answer

This ScriptingGuy guest post links to a script by a Microsoft Powershell Expert can help you find this information, but to fully audit why it was locked and which machine triggered the lock you probably need to turn on additional levels of auditing via GPO.

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content

User · Answer

Here s another one   PS gt  Search-ADAccount -Locked   Select Name  LockedOut  LastLogonDate  Name                                       LockedOut LastLogonDate ----                                       --------- ------------- Yxxxxxxx                                        True 14 11 2014 10 19 20 Bxxxxxxx                                        True 18 11 2014 08 38 34 Administrator                                   True 03 11 2014 20 32 05   Other parameters worth mentioning   Search-ADAccount -AccountExpired Search-ADAccount -AccountDisabled Search-ADAccount -AccountInactive  Get-Help Search-ADAccount -ShowWindow

User · Answer

The LockedOut property is what you are looking for among all the properties you returned  You are only seeing incomplete output in TechNet  The information is still there  You can isolate that one property using Select-Object   Get-ADUser matt -Properties     Select-Object LockedOut  LockedOut --------- False   The link you referenced doesn t contain this information which is obviously misleading  Test the command with your own account and you will see much more information    Note  Try to avoid -Properties    While it is great for simple testing it can make queries  especially ones with multiple accounts  unnecessarily slow  So  in this case  since you only need lockedout   Get-ADUser matt -Properties LockedOut   Select-Object LockedOut

User · Answer

I found also this list of property flags  How to use the UserAccountControl flags  SCRIPT  0x0001  1 ACCOUNTDISABLE  0x0002  2 HOMEDIR REQUIRED    0x0008  8 LOCKOUT 0x0010  16 PASSWD NOTREQD  0x0020  32 PASSWD CANT CHANGE 0x0040   64 ENCRYPTED TEXT PWD ALLOWED  0x0080  128 TEMP DUPLICATE ACCOUNT  0x0100  256 NORMAL ACCOUNT  0x0200  512 INTERDOMAIN TRUST ACCOUNT   0x0800  2048 WORKSTATION TRUST ACCOUNT   0x1000  4096 SERVER TRUST ACCOUNT    0x2000  8192 DONT EXPIRE PASSWORD    0x10000 65536 MNS LOGON ACCOUNT   0x20000 131072 SMARTCARD REQUIRED  0x40000 262144 TRUSTED FOR DELEGATION  0x80000 524288 NOT DELEGATED   0x100000    1048576 USE DES KEY ONLY    0x200000    2097152 DONT REQ PREAUTH    0x400000    4194304 PASSWORD EXPIRED    0x800000    8388608 TRUSTED TO AUTH FOR DELEGATION  0x1000000   16777216 PARTIAL SECRETS ACCOUNT 0x04000000      67108864   You must make a binary-AND of property userAccountControl with 0x002  In order to get all locked  i e  disabled  accounts you can filter on this     amp  objectClass user  userAccountControl 1 2 840 113556 1 4 803  2     For operator 1 2 840 113556 1 4 803 see LDAP Matching Rules

User · Answer

If you want to check via command line   then use command  net user username  DOMAIN

[powershell] How can I verify if an AD account is locked?

Examples related to powershell

Examples related to active-directory