Check if account is locked out

Question

How can I check if an account is locked in Active Directory?

I would prefer to use the GUI, but I can use the CLI if that's the only option. I checked the "Account" tab under Properties, and I see an "Unlock account" option, but it not clear if that means the account is currently locked.

For posterity sake, you should mention which forest/domain version you are on. Over time additional tools/features/GUIs change and answers may no longer be relevant. — TheCleaner, Sep 29 '22 at 16:09

score 4 · Answer 1 · answered Aug 24 '22 at 12:39

4

Using Powershell:

get-aduser bob -Properties lockedout |select lockedout

lockedout
---------
    False

answered Aug 24 '22 at 12:39

Gerald Schneider

23,274
8
57
89

An empty value indicates that you omitted the `-Properties` argument (or have a typo in it). The `lockedout` attribute is not loaded by default and must be specified explicitly. – Gerald Schneider Aug 24 '22 at 12:52

Zombo · Answer 2 · 2022-08-24T14:55:23.917

2

Active Directory Administrative Center

On the user list, click the arrow in the top right corner. Then click Add criteria. Then click Users with enabled but locked accounts (I cannot post images directly, so here is a link):

https://serverspace.us/wp-content/uploads/2021/07/63_uad411.png

Then click Add.

https://serverspace.us/support/help/how-to-manage-user-accounts-in-active-directory-part-4-finding-locked-out-accounts-and-unlocking-them

Active Directory Users and Computers

Select View > Advanced. The Attribute Editor tab on the user account shows every attribute. AD Users and Computers can show any attribute of an object, including lockoutTime.

edited Aug 24 '22 at 14:55

answered Aug 24 '22 at 12:58

Zombo

1
1
16
20

AD Users and Computers can show any attribute of an object, including lockoutTime. – Greg Askew Aug 24 '22 at 14:22
Select View > Advanced. The Attribute Editor tab on the user account shows every attribute. – Greg Askew Aug 24 '22 at 14:40

score 1 · Answer 3 · answered Sep 29 '22 at 15:59

1

Right click your user (AD users and computers) and click on "reset password". You don't have to reset the password but the Account lockout status will be shown. Screenshot "reset password" window

answered Sep 29 '22 at 15:59

Thorndelaus

11
1

score -1 · Answer 4 · answered Aug 24 '22 at 12:33

-1

Check out this tool from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=15201

It will help you figure out which Domain Controller to look on for more info in the logs as well.

answered Aug 24 '22 at 12:33

Stephen Mosser

1
1

Check if account is locked out

4 Answers4

Active Directory Administrative Center

Active Directory Users and Computers