Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I verify if an AD account is locked?

I want to know if it is possible to verify if a specific AD account is locked.

The command Get-ADUser does not return this parameter :

 -------------------------- EXAMPLE 3 --------------------------

 Command Prompt: C:\PS>
 Get-ADUser GlenJohn -Properties * 


  - Surname : John 
  - Name : Glen John
  - UserPrincipalName : jglen
  - GivenName : Glen
  - Enabled : False
  - SamAccountName : GlenJohn
  - ObjectClass :
  - user SID :S-1-5-21-2889043008-4136710315-2444824263-3544
  - ObjectGUID :e1418d64-096c-4cb0-b903-ebb66562d99d
  - DistinguishedName : CN=Glen John,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM

 Description :
 -----------

 Get all properties of the user with samAccountName 'GlenJohn'.

 --------------------------END EXAMPLE --------------------------

Is there an other way to get this information ?

like image 974
Vinc 웃 Avatar asked Nov 20 '14 15:11

Vinc 웃


3 Answers

The LockedOut property is what you are looking for among all the properties you returned. You are only seeing incomplete output in TechNet. The information is still there. You can isolate that one property using Select-Object

Get-ADUser matt -Properties * | Select-Object LockedOut

LockedOut
---------
False

The link you referenced doesn't contain this information which is obviously misleading. Test the command with your own account and you will see much more information.

Note: Try to avoid -Properties *. While it is great for simple testing it can make queries, especially ones with multiple accounts, unnecessarily slow. So, in this case, since you only need lockedout:

Get-ADUser matt -Properties LockedOut | Select-Object LockedOut
like image 62
Matt Avatar answered Nov 07 '22 17:11

Matt


Here's another one:

PS> Search-ADAccount -Locked | Select Name, LockedOut, LastLogonDate

Name                                       LockedOut LastLogonDate
----                                       --------- -------------
Yxxxxxxx                                        True 14/11/2014 10:19:20
Bxxxxxxx                                        True 18/11/2014 08:38:34
Administrator                                   True 03/11/2014 20:32:05

Other parameters worth mentioning:

Search-ADAccount -AccountExpired
Search-ADAccount -AccountDisabled
Search-ADAccount -AccountInactive

Get-Help Search-ADAccount -ShowWindow
like image 21
evilSnobu Avatar answered Nov 07 '22 16:11

evilSnobu


If you want to check via command line , then use command "net user username /DOMAIN"

enter image description here

like image 14
Aniket Warey Avatar answered Nov 07 '22 16:11

Aniket Warey