堆栈内存溢出
  简体   繁体   English

如何验证AD帐户是否已锁定?

[英]How can I verify if an AD account is locked?

 原文  2014-11-20 15:13:53       powershell/ active-directory

问题描述

I want to know if it is possible to verify if a specific AD account is locked. 我想知道是否可以验证特定的AD帐户是否被锁定。

The command Get-ADUser does not return this parameter : 命令Get-ADUser不返回此参数: 

-------------------------- EXAMPLE 3 --------------------------

 Command Prompt: C:\PS>
 Get-ADUser GlenJohn -Properties * 


  - Surname : John 
  - Name : Glen John
  - UserPrincipalName : jglen
  - GivenName : Glen
  - Enabled : False
  - SamAccountName : GlenJohn
  - ObjectClass :
  - user SID :S-1-5-21-2889043008-4136710315-2444824263-3544
  - ObjectGUID :e1418d64-096c-4cb0-b903-ebb66562d99d
  - DistinguishedName : CN=Glen John,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM

 Description :
 -----------

 Get all properties of the user with samAccountName 'GlenJohn'.

 --------------------------END EXAMPLE --------------------------

Is there an other way to get this information ? 有没有其他方法来获取此信息?

5 个解决方案

解决方案1
 29 已采纳  2014-11-20 15:21:57

The LockedOut property is what you are looking for among all the properties you returned. LockedOut属性是您在返回的所有属性中寻找的属性。 You are only seeing incomplete output in TechNet. 您只看到TechNet中的输出不完整。 The information is still there. 信息仍在那里。 You can isolate that one property using Select-Object 您可以使用Select-Object隔离该属性 

Get-ADUser matt -Properties * | Select-Object LockedOut

LockedOut
---------
False

The link you referenced doesn't contain this information which is obviously misleading. 您引用的链接不包含此信息,这显然具有误导性。 Test the command with your own account and you will see much more information. 使用您自己的帐户测试命令,您将看到更多信息。

Note: Try to avoid -Properties * . 注意:尽量避免使用-Properties * While it is great for simple testing it can make queries, especially ones with multiple accounts, unnecessarily slow. 虽然它非常适合简单测试,但它可以使查询,特别是具有多个帐户的查询不必要地慢。 So, in this case, since you only need lockedout : 所以,在这种情况下,因为你只需要lockedout 

Get-ADUser matt -Properties LockedOut | Select-Object LockedOut

解决方案2
 9  2014-11-21 14:45:46

Here's another one: 这是另一个: 

PS> Search-ADAccount -Locked | Select Name, LockedOut, LastLogonDate

Name                                       LockedOut LastLogonDate
----                                       --------- -------------
Yxxxxxxx                                        True 14/11/2014 10:19:20
Bxxxxxxx                                        True 18/11/2014 08:38:34
Administrator                                   True 03/11/2014 20:32:05

Other parameters worth mentioning: 其他参数值得一提: 

Search-ADAccount -AccountExpired
Search-ADAccount -AccountDisabled
Search-ADAccount -AccountInactive

Get-Help Search-ADAccount -ShowWindow

解决方案3
 2  2016-03-16 12:42:11

I found also this list of property flags: How to use the UserAccountControl flags 我还找到了这个属性标志列表: 如何使用UserAccountControl标志 

SCRIPT  0x0001  1
ACCOUNTDISABLE  0x0002  2
HOMEDIR_REQUIRED    0x0008  8
LOCKOUT 0x0010  16
PASSWD_NOTREQD  0x0020  32
PASSWD_CANT_CHANGE 0x0040   64
ENCRYPTED_TEXT_PWD_ALLOWED  0x0080  128
TEMP_DUPLICATE_ACCOUNT  0x0100  256
NORMAL_ACCOUNT  0x0200  512
INTERDOMAIN_TRUST_ACCOUNT   0x0800  2048
WORKSTATION_TRUST_ACCOUNT   0x1000  4096
SERVER_TRUST_ACCOUNT    0x2000  8192
DONT_EXPIRE_PASSWORD    0x10000 65536
MNS_LOGON_ACCOUNT   0x20000 131072
SMARTCARD_REQUIRED  0x40000 262144
TRUSTED_FOR_DELEGATION  0x80000 524288
NOT_DELEGATED   0x100000    1048576
USE_DES_KEY_ONLY    0x200000    2097152
DONT_REQ_PREAUTH    0x400000    4194304
PASSWORD_EXPIRED    0x800000    8388608
TRUSTED_TO_AUTH_FOR_DELEGATION  0x1000000   16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000      67108864

You must make a binary-AND of property userAccountControl with 0x002 . 您必须使用0x002属性userAccountControl的二进制AND。 In order to get all locked (ie disabled) accounts you can filter on this: 为了获得所有锁定(即禁用)帐户,您可以对此进行过滤: 

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

For operator 1.2.840.113556.1.4.803 see LDAP Matching Rules 对于运算符1.2.840.113556.1.4.803请参阅LDAP匹配规则

解决方案4
 0  2018-09-05 21:29:42

This ScriptingGuy guest post links to a script by a Microsoft Powershell Expert can help you find this information, but to fully audit why it was locked and which machine triggered the lock you probably need to turn on additional levels of auditing via GPO. 这篇ScriptingGuy来宾帖子链接到Microsoft Powershell Expert的脚本可以帮助您查找此信息,但要完全审核它被锁定的原因以及哪台机器触发了锁定,您可能需要通过GPO打开其他级别的审核。

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab#content

解决方案5
 0  2019-06-11 09:07:20

If you want to check via command line , then use command "net user username /DOMAIN" 如果要通过命令行检查,请使用命令“net user username / DOMAIN”

在此输入图像描述

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在没有第二个帐户查询AD的情况下检测AD用户密码是否过期? - How can I detect whether AD user password is expired without a second account to query AD? 我可以单独获取 AD 帐户属性,但不能在 foreach 循环中获取? - I can get AD account attributes individually, but not in the foreach loop? 如何验证 PDF 文件“好”? - How can I verify that a PDF file is “good”? 如何使用Powershell脚本重试5次锁定文件的副本? - How can I retry copy of a locked files 5 times with Powershell script? 如何为Azure AD帐户重置密码 - How to reset password for Azure AD account 如何设置“帐户操作员”给AD用户? - How To Set “Account Operators” to AD User? 如何让我的脚本使用全名来查找 AD 帐户? - How do I get my script to use full names to find AD account? 验证 AD 用户密码 - Verify AD User Password 如何验证Powershell脚本中的密钥? - How can I verify my keys in my powershell script? 如何验证进程是否已在Powershell上运行? - How can i verify if a process is already running on powershell?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM