How to Check if a User Account is Locked Out in Batch Script

In an Active Directory environment, a user account can become "locked out" after too many failed password attempts. This is a crucial security feature to prevent brute-force attacks. For help desk staff, IT administrators, and automated monitoring scripts, being able to quickly check if an account is locked is a fundamental troubleshooting step. The standard, built-in command-line tool for this task is NET USER.

This guide will teach you how to use the net user command with a domain switch to query the status of a user account. You will learn how to parse its output to specifically find the "Account active" and "Account locked" states, a key skill for any AD diagnostic script.

CRITICAL: Prerequisites (Permissions)

To query the status of a user account in an Active Directory domain, your script must meet two conditions:

Domain-Joined Machine: The script must be run from a computer that is a member of the Active Directory domain.
Domain User: You must be logged in as a domain user. Standard Domain User permissions are sufficient to read the status of another user account. You do not need to be a Domain Admin for this read-only operation.

The Core Command: `NET USER <username> /DOMAIN`

The net user command is a classic utility for managing local and domain user accounts. When used with the /DOMAIN switch, it queries a Domain Controller for the specified user's information instead of looking on the local machine.

Syntax: NET USER <username> /DOMAIN

<username>: The user's logon name (sAMAccountName), e.g., johndoe.
/DOMAIN: This crucial switch tells the command to query Active Directory.

The output is a human-readable list of the user's properties. We are interested in two specific lines:

Account active
Account locked (This line only appears if the account is locked).

Basic Example: Displaying a User's Status

Let's check the status of a user named johndoe in the domain.

@ECHO OFF
SET "UserName=johndoe"
ECHO --- Checking status for user: %UserName% ---
ECHO.
NET USER %UserName% /DOMAIN

Output (for a normal, active account):

User name                    johndoe
Full Name                    John Doe
...
Account active               Yes
Account expires              Never
...
The command completed successfully.

Output (for a locked account): notice the new "Account locked" line that appears.

User name                    johndoe
Full Name                    John Doe
...
Account active               Yes
Account expires              Never
Account locked               Yes
...
The command completed successfully.

How to Capture the Lockout Status in a Script

For a script to make a decision, it needs to programmatically check for that "Account locked" line. We can do this by piping the output of net user to the find or findstr command. find will set the %ERRORLEVEL% to 0 if it finds the text, and 1 if it does not.

@ECHO OFF
SET "UserName=johndoe"

ECHO --- Checking lockout status for %UserName% ---

REM Pipe the output to FIND and search for the "Account locked" string.
REM Redirect the output to NUL because we only care about the ERRORLEVEL.
NET USER %UserName% /DOMAIN | FIND "Account locked" > NUL

IF %ERRORLEVEL% EQU 0 (
    ECHO [LOCKED] The user account '%UserName%' is currently locked out.
) ELSE (
    ECHO [OK] The user account '%UserName%' is not locked.
)

How the `net user /domain` Command Works

The net user /domain command performs a remote procedure call (RPC) to the nearest available Domain Controller. It queries the Active Directory database for the user object matching the provided username and retrieves several key attributes, including the userAccountControl attribute, which contains flags that determine if an account is enabled, disabled, or locked out. The command then formats this information into a human-readable text report.

Common Pitfalls and How to Solve Them

Problem: "The user name could not be found."

This error means the username you provided does not exist in the Active Directory domain.

Solution: Double-check the spelling of the username. Ensure you are using the logon name (sAMAccountName), not the full display name or email address.

Problem: Checking for an Active but Locked Account

An account can be in several states:

Active and Unlocked
Active and Locked
Disabled (and therefore cannot be locked)

The simple script in section above only checks for the "locked" state. It does not tell you if the account is disabled.

Solution: A more robust script would perform two checks.

@ECHO OFF
SET "UserName=johndoe"
SET "IsLocked=0"
SET "IsActive=0"

NET USER %UserName% /DOMAIN | FIND "Account locked" > NUL && SET "IsLocked=1"
NET USER %UserName% /DOMAIN | FIND "Account active               Yes" > NUL && SET "IsActive=1"

IF %IsActive% EQU 0 (
    ECHO [DISABLED] The account is disabled.
) ELSE IF %IsLocked% EQU 1 (
    ECHO [LOCKED] The account is active but locked out.
) ELSE (
    ECHO [OK] The account is active and not locked.
)

Practical Example: A "User Account Status Checker" Utility

This script is a simple tool for a help desk. It takes a username as a command-line argument and provides a clear, comprehensive report on the account's status.

@ECHO OFF
SETLOCAL
SET "UserName=%~1"

IF "%UserName%"=="" (
    ECHO [ERROR] Please provide a username.
    ECHO Usage: %~n0 <username>
    GOTO :End
)

ECHO --- Account Status Report for: %UserName% ---
ECHO.

REM --- Check if the user exists first ---
NET USER %UserName% /DOMAIN > NUL 2> NUL
IF %ERRORLEVEL% NEQ 0 (
    ECHO [FAILURE] The user '%UserName%' was not found in the domain.
    GOTO :End
)

REM --- Now get the full details ---
SET "IsLocked=No"
SET "IsActive=No"
FOR /F "tokens=1,2*" %%A IN ('NET USER %UserName% /DOMAIN') DO (
    IF /I "%%A %%B"=="Account active" SET "IsActive=%%C"
    IF /I "%%A %%B"=="Account locked" SET "IsLocked=%%C"
)

ECHO Account Active: %IsActive%
ECHO Account Locked: %IsLocked%
ECHO.

ECHO --- Summary ---
IF /I "%IsActive%"=="No" (
    ECHO This account is currently DISABLED.
) ELSE IF /I "%IsLocked%"=="Yes" (
    ECHO This account is currently LOCKED OUT.
) ELSE (
    ECHO This account is ACTIVE and NOT LOCKED.
)

:End
ENDLOCAL

Conclusion

The net user <username> /domain command is the standard, built-in tool for querying the state of an Active Directory user account from a batch script.

Key takeaways for using it effectively:

You must run the script on a domain-joined machine as a domain user.
Use the /DOMAIN switch to query Active Directory.
The line "Account locked" will only appear in the output if the account is currently locked.
Pipe the output to FIND or FINDSTR to programmatically check for the locked state by inspecting the %ERRORLEVEL%.

CRITICAL: Prerequisites (Permissions)​

The Core Command: NET USER <username> /DOMAIN​

Basic Example: Displaying a User's Status​

How to Capture the Lockout Status in a Script​

How the net user /domain Command Works​

Common Pitfalls and How to Solve Them​

Problem: "The user name could not be found."​

Problem: Checking for an Active but Locked Account​

Practical Example: A "User Account Status Checker" Utility​

Conclusion​

Table of Contents