Forum Discussion
How to determine if a local account is locked?
Hi,
Within minutes of searching, I was able to find the script below which determines if an Active Directory account is locked:
Get-ADUser myaccount -Properties LockedOut | Select -Object LockedOut
However, after almost 1.5 hours of searching, I can't find a script that will tell me if a local account is locked!
Does anyone have a script for that?
7 Replies
- Hi
I know this post is kind of old, but maybe people finding this post are still looking for a solution. I believe this is the most simple command to find locked accounts in Active directory:
Search-ADAccount –LockedOut - You can use win32_userAccount WMI class to do a remote query on a computer hosting the local account you want to get lockOut status of
get-wmiObject -class win32_userAccount -computerName <remote-computer> | where-object {$_.name -like 'localAcc1*'} | select-object -property status, lockOut, SID, disabledThanks.
I tried the below on the server but it just hangs. PDB0V is the server name and SSRS is a local account on that server.
get-wmiObject -class win32_userAccount -computerName PDB0V| where-object {$_.name -like '*SSRS*'} | select-object -property status, lockOut, SID, disabled*
- Do you get any warnings/error messages?
Any reason you've added an asterisk '*' after disabled property
Have you tried putting FQDN of the server PDB0V
Locked has a different meaning in AD, compared to Azure AD (where it basically means "blocked"). So depending on which one you're after, check either the lockoutTime attribute or the relevant "bit" of the UserAccountControl attribute: https://support.microsoft.com/en-ca/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
