You want to find users that are locked out.
The following command finds all locked-out users in the domain of the specified domain controller:
> unlock <
DomainControllerName> * -view
Finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query similar to the one to find disabled users, but unfortunately, it is not that easy.
lockoutTime attribute is populated with a
timestamp when a user is locked. One way to find locked out users
would be to find all users that have something populated in
lockoutTime=*). That query would definitely find
all the currently locked users, but it would also find all the users
that were locked, became unlocked, and have yet to log in since being
unlocked. This is where the complexity comes into place.
To determine the users that are currently locked out, you have to
lockoutDuration attribute stored on the
domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. We need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. We can then ...