How to determine if a local account is locked?

Copper Contributor



Within minutes of searching, I was able to find the script below which determines if an Active Directory account is locked:


Get-ADUser myaccount -Properties LockedOut | Select -Object LockedOut


However, after almost 1.5 hours of searching, I can't find a script that will tell me if a local account is locked!


Does anyone have a script for that?


7 Replies

Locked has a different meaning in AD, compared to Azure AD (where it basically means "blocked"). So depending on which one you're after, check either the lockoutTime attribute or the relevant "bit" of the UserAccountControl attribute:

You can use win32_userAccount WMI class to do a remote query on a computer hosting the local account you want to get lockOut status of

get-wmiObject -class win32_userAccount -computerName <remote-computer> | where-object {$ -like 'localAcc1*'} | select-object -property status, lockOut, SID, disabled

@Vasil Michev 


Thanks. I am using Windows Enterprise Server and not Azure. 


@Animesh Joshi 




I tried the below on the server but it just hangs.  PDB0V is the server name and SSRS is a local account on that server.


get-wmiObject -class win32_userAccount -computerName PDB0V| where-object {$ -like '*SSRS*'} | select-object -property status, lockOut, SID, disabled*

Do you get any warnings/error messages?
Any reason you've added an asterisk '*' after disabled property
Have you tried putting FQDN of the server PDB0V


Realizing this post is old, try this on the system itself...


net user <username>


The output can be parsed to check for a line stating "Account Active       Yes" 

I know this post is kind of old, but maybe people finding this post are still looking for a solution. I believe this is the most simple command to find locked accounts in Active directory:

Search-ADAccount –LockedOut