Query for locked useraccounts

That's a frequent question in the newsgroups: "How am I able to query useraccounts which are locked?"

Note:Don't mix up locked and disabled useraccounts. If useraccounts are locked, someone entered the wrong password more often than the account policy on the domain allowes. If a useraccount is disabled an administrator decided that it's necessary to disable him. You are able to allow unlocking of a useraccount with Active Directory-Users and -Computers. However it's not able to lock a useraccount in the same interface - everybody would be able to lock it by entering the name with a wrong password multiple times.
The purpose of locked accounts is just to prevent misuse, it's not intended as mechanism to block logon to the domain.

If you don't have the setting in your domain that locked out user accounts will automatically reenable then you are able to use the following query:



A User which has never been locked out:
Lockouttime = <not set>

User is locked out:
lockoutTime = some number which contains the time he locked himself out

User is unlocked by admin:
lockoutTime = 0

User is automatically unlocked by policy:
Lockouttime = some number which contains the time he locked himself out
In this case you'll have to calculate if the current time is bigger than the lockoutime + the duration someone stays locked. Therefore you can't use a simple query for it.

Fellow MVP Richard Mueller is providing an example on his page:

If you want to get those programatically you are also able to use the winnt-provider, here's an example from Richard again:

You are welcome to E-Mail comments, feedback or general Problems with this WebSite to the  WebMaster. The WebSites of WindowsServerFAQ.de and/or WindowsServerFAQ.org are not related to Microsoft Corp. USA or to Microsoft GmbH. Copyright 2004. ALL RIGHTS RESERVED. You have to accept the Disclaimer and the legal Annotations to use the WebSites of WindowsServerFAQ.de or WindowsServerFAQ.org.