Home / server / Questions / 1108964
In Process
Zombo
Asked: 2022-08-25 04:25:43 +0800 CST

Check if account is locked out

  • 772

How can I check if an account is locked in Active Directory?

I would prefer to use the GUI, but I can use the CLI if that's the only option. I checked the "Account" tab under Properties, and I see an "Unlock account" option, but it not clear if that means the account is currently locked.

windows

0 Answers

  1. Using Powershell:

    get-aduser bob -Properties lockedout |select lockedout

lockedout
---------
    False
    • 3

  2. Active Directory Administrative Center

    On the user list, click the arrow in the top right corner. Then click Add criteria. Then click Users with enabled but locked accounts (I cannot post images directly, so here is a link):

    https://serverspace.us/wp-content/uploads/2021/07/63_uad411.png

    Then click Add.

    https://serverspace.us/support/help/how-to-manage-user-accounts-in-active-directory-part-4-finding-locked-out-accounts-and-unlocking-them

    Active Directory Users and Computers

    Select View > Advanced. The Attribute Editor tab on the user account shows every attribute. AD Users and Computers can show any attribute of an object, including lockoutTime.

    • 1

  3. Right click your user (AD users and computers) and click on "reset password". You don't have to reset the password but the Account lockout status will be shown. Screenshot "reset password" window

    • 1

  4. Check out this tool from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=15201

    It will help you figure out which Domain Controller to look on for more info in the logs as well.

    • -1