How do you use PowerShell toc check if an active directory user locked out, disabled etc.?


If your organization uses a password policy (there are very good odds these days that it does) and, especially stricter password requirement for administrative users, your might have experienced instances where yours or your users Active Directory user might be locked out.

How do you check if that is the case? Well, for one thing the Windows will tell you so when you try to login and/or failed login attempts are logged in to sql log, event logs etc.  What if user does not logout or have more than one user account, one for regular use and one for administrative tasks? There maybe other scenarios where you have a need to check status of a user account in the Active Directory.

I don't have admin privileges and presumably you don't either.  However, I do have read permission on the AD so I could have used Active Directory Users and Groups snap-in.

But, here I am going to show the powershell way.

# Is account disabled?


get-aduser aduser1 -Properties enabled | ft Enabled


# Is account locked out?

get-aduser aduser1 -Properties LockedOut | ft LockedOut


# When does the password expire?


Get-ADUser aduser1 -properties msDS-UserPasswordExpiryTimeComputed | select @{N="PasswordExpiryDate";E={[DateTime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

2/13/2020 2:58:26 PM


# Finally, view all properties for a user account


get-aduser aduser1 -Properties *


Original post (opens in new tab)