header image

Finding Locked out users

Posted by: | February 5, 2012 | No Comment |

This is an ugly one due to the way the AccountLockoutTime attribute is stored and what it means. The situation is further complicated because with Windows 2008 and above you can have multiple account lock out policies due to Fine Grained Password polices.

The Quest and Microsoft cmdlets both supply an easy way to find locked out accounts

Search-ADAccount -LockedOut |             
Format-Table Name, DistinguishedName            
Get-QADUser -Locked -SizeLimit 3000 |            
Format-Table Name, DN

I would recommend using one of these rather than trying to do this from scratch with a script or using the provider

under: PowerShell and Active Directory