Share via

lockoutstatus.exe mismatch with Active directory

Chris Saladin 20 Reputation points
2023-02-17T00:38:19.1633333+00:00

I did quite a bit of research online about this issue and I can't seem to find a definitive answer so I'm asking over here in case someone might know the answer.

Basically, when I use the Microsoft lockoutstatus.exe tool, an account will say locked out even past the 30 minute lockout timer in our domain.

but when I run a command in PowerShell to check such as:

get-aduser MyUserName -server Server -Properties * | Select-Object LockedOut

it will say the account is not locked - even when I specify the specific server that is saying it's locked in the domain.

Thinking this is a glitch with LockoutStatus I kept testing - but yes in fact the account is still locked out for the end user even though the PowerShell tool will swear up and down it's not locked.

I even scripted something to check the lockout status on every server in our domain and every single server will say unlocked - but lockoutstatus.exe will still say locked - and the user will still be locked.

now this doesn't seem to occur for fresh lockouts - only lockouts where the account should have auto-unlocked due to our domain's policy.

I double checked our policy and it is set to 30 minutes and the account lockout time in both the script and the lockoutstatus.exe tool both say it's been over the 30 minute mark, but lockoutstatus.exe still says locked, while powershell and AD say unlocked.

to make matters even more confusing, the end user is in fact still locked.

I'm just wondering what in fact the lockoutstatus.exe tool is doing to come up with the correct information.

Any ideas are much appreciated :)

thank you!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments
Accepted answer
  1. Limitless Technology 44,766 Reputation points
    2023-02-17T12:21:05.7833333+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    The Microsoft lockoutStatus.exe command-line tool is used to find out why a user account has been locked out from Active Directory. If the lockoutStatus.exe tool does not match the lockout information in Active Directory, then the user account may have been locked out by another system or process. To resolve this issue, you should check the Event Logs for any suspicious entries or activities that may have caused the lockout. You can also check to see if the same user account is locked out on other systems in the domain.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,766 Reputation points
    2023-02-17T12:21:15.08+00:00

    Double post

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.