我想检查用户是使用某个帐户还是从受密码保护的帐户中锁定。
命令(查询用户)返回"活动"即使用户被锁定。 和进程" explorer.exe"仍将是活跃的。
get-WmiObject win32_useraccount -Namespace "root/cimv2" | %{$_.lockout}
这也会返回: "假"
答案 0 :(得分:1)
不清楚你在问什么,但假设你的意思是"告诉我登录用户帐户被锁定的用户",这应该这样做:
# Get locked local accounts
$lockedAccounts = @(Get-WmiObject win32_useraccount -filter "LockOut=True")
# Get login sessions including disconnected ones
# Get the username, ignore sessions with no username
# Username is in the form "computer\user" so remove "computer\"
$users = @(Get-TerminalSession | select -ExpandProperty UserName | ? {$_})
$users = @($users | % { (Split-String $_ -Separator "\")[1] })
ForEach ($account in $lockedAccounts) {
if ($users -icontains $account.Name) {
write "Locked Account $(account.Name) is logged in"
}
}
我还没有完全测试过它,但是我已经分别对它进行了测试,它看起来很有效。
答案 1 :(得分:0)
Get-EventLog -LogName Security | where {$_.instanceid -eq "4634"} | %{$_.TimeGenerated} | sort TimeOfDay -Descending | select TimeOfDay -First 1