For information, i use this query on ad (Saved Query) to view "locked account" and it works :
This query works - but it can give you "false positive" results.
The lockouttime attribute is reset when the user logs on the next time. So let's say the user is locked out 1:30 PM and the lockout duration is 60 minutes.
When you query the AD at 2:29 PM the user is returned as locked - which is correct.
When you query the AD at 2:31 PM the user is returned as locked - which is wrong. You get this wrong result as long as the user doesn't log on again.
So my function uses your query and calculates the end of the lockouttime for every user. At 2:30 PM the user of the above example is deleted from the result.
This only works when I get the correct lockout duration from the AD. Your lockout duration is set to 0 so I assume you use the "Fine-grained Password Policies
So far I don't know how to query the AD for this new policies or how to extract the values for each user.
That's how I understand the wrong results you get.
Edited by water, 28 May 2010 - 05:56 AM.