That's a frequent question in the newsgroups: "How am I able to query useraccounts which are locked?"
| Note: | Don't mix up locked and disabled useraccounts. If useraccounts are locked, someone entered the wrong password more often than the account policy on the domain allowes. If a useraccount is disabled an administrator decided that it's necessary to disable him. You are able to allow unlocking of a useraccount with Active Directory-Users and -Computers. However it's not able to lock a useraccount in the same interface - everybody would be able to lock it by entering the name with a wrong password multiple times. The purpose of locked accounts is just to prevent misuse, it's not intended as mechanism to block logon to the domain. |
If you don't have the setting in your domain that locked out user accounts will automatically reenable then you are able to use the following query:
(&(objectCategory=person)(objectClass=User)(lockoutTime>=1))
Lockouttime = <not set>
lockoutTime = some number which contains the time he locked himself out
lockoutTime = 0
Lockouttime = some number which contains the time he locked himself outIn this case you'll have to calculate if the current time is bigger than the lockoutime + the duration someone stays locked. Therefore you can't use a simple query for it.
http://www.rlmueller.net/IsUserLocked.htm http://www.rlmueller.net/LockedUsers.htmYou are welcome to E-Mail comments, feedback or general Problems with this WebSite to the WebMaster. The WebSites of WindowsServerFAQ.de and/or WindowsServerFAQ.org are not related to Microsoft Corp. USA or to Microsoft GmbH. Copyright 2004. ALL RIGHTS RESERVED. You have to accept the Disclaimer and the legal Annotations to use the WebSites of WindowsServerFAQ.de or WindowsServerFAQ.org.