Search This Blog

Monday, November 18, 2019

How do you use PowerShell to check if an active directory user locked out, disabled etc.?

How do you use PowerShell to check if an active directory user locked out, disabled etc.? If your organization uses a password policy (there are very good odds these days that it does) and, especially stricter password requirement for administrative users, your might have experienced instances where yours or your users Active Directory user might be locked out.

How do you check if that is the case? Well, for one thing the Windows will tell you so when you try to login and/or failed login attempts are logged in to sql log, event logs etc.  What if user does not logout or have more than one user account, one for regular use and one for administrative tasks? There maybe other scenarios where you have a need to check status of a user account in the Active Directory.

I don't have admin privileges in Active Directory and presumably you don't either.  However, I do have read permission on the AD so I could have used Active Directory Users and Groups snap-in i.e. GUI tool.

But, here I am going to show you the PowerShell way.

You will need to have the ActiveDirectory PowerShell module installed for the following cmdlets to work. To check if you already have it:

Get-Module -Name ActiveDirectory


To cherck if it is available to import into your current session: 
Get-Module  -ListAvailable -name ActiveDirectory


If it is available, you can import it using the following command. You will need to be running the elevated PowerShell for this: 
Import-Module -Name ActiveDirectory


Let's check if the user account is disabled: 

# Is account disabled?


get-aduser aduser1 -Properties enabled | ft Enabled

Enabled
-------
   True 



# Is account locked out?


get-aduser aduser1 -Properties LockedOut | ft LockedOut

LockedOut
---------
    False



# When does the password expire?

Get-ADUser aduser1 -properties msDS-UserPasswordExpiryTimeComputed | select @{N="PasswordExpiryDate";E={[DateTime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}


PasswordExpiryDate  
------------------  
2/13/2020 2:58:26 PM
 


# Finally, view all properties for a user account

get-aduser aduser1 -Properties *


If the user account is in a different AD domain: 
get-aduser aduser1 -Server ad_domain_name -Properties *


To find out more about the Get-ADUser command: 
Get-Help  Get-ADUser -ShowWindow
That will pop up a window with the Get-ADUser help file.

And to see all the commands available in ActiveDirectory module: 
Get-Command  -Module ActiveDirectory | Select-Object Name

Name                                                
------------------------------------                                                
Add-ADCentralAccessPolicyMember                     
Add-ADComputerServiceAccount                        
Add-ADDomainControllerPasswordReplicationPolicy     
Add-ADFineGrainedPasswordPolicySubject              
Add-ADGroupMember                                   
Add-ADPrincipalGroupMembership                      
Add-ADResourcePropertyListMember                    
Clear-ADAccountExpiration                           
Clear-ADClaimTransformLink                          
Disable-ADAccount                                   
Disable-ADOptionalFeature                           
Enable-ADAccount                                    
Enable-ADOptionalFeature                            
Get-ADAccountAuthorizationGroup                     
Get-ADAccountResultantPasswordReplicationPolicy     
Get-ADAuthenticationPolicy                          
Get-ADAuthenticationPolicySilo                      
Get-ADCentralAccessPolicy                           
Get-ADCentralAccessRule                             
Get-ADClaimTransformPolicy                          
Get-ADClaimType                                     
Get-ADComputer          
....
....
....