check if a local user is locked out although he is logged in powershell

Question

I want to check if a user is using an account or locked out from a password protected account.

the command (query user) returns "active" even though the user is locked out. and the process "explorer.exe" will still be active.

get-WmiObject win32_useraccount -Namespace "root/cimv2" | %{$_.lockout} 

this also returns: "False"

Answer 1

Get-EventLog -LogName Security | where {$_.instanceid -eq "4634"} | %{$_.TimeGenerated} | sort TimeOfDay -Descending | select TimeOfDay -First 1

Answer 2

It's not very clear what you're asking, but assuming you mean "Show me logged in users whose user accounts are locked", this should do it:

# Get locked local accounts
$lockedAccounts = @(Get-WmiObject win32_useraccount -filter "LockOut=True")

# Get login sessions including disconnected ones
# Get the username, ignore sessions with no username
# Username is in the form "computer\user" so remove "computer\"
$users = @(Get-TerminalSession | select -ExpandProperty UserName | ? {$_})
$users = @($users | % { (Split-String $_ -Separator "\")[1] })

ForEach ($account in $lockedAccounts) {
    if ($users -icontains $account.Name) {
        write "Locked Account $(account.Name) is logged in"
    }
}

I haven't tested it completely, but I've tested the bits of it separately and it looks likely to work.