Check if AD account is locked

fbotte · April 18, 2024, 11:37am

Hi folks,

what is the easiest way to check with CheckMK if a computer or user account has been disabled/locked in AD?

Thanks for your help

Frank

aeckstein · April 18, 2024, 11:58am

Hi Frank,

i´v written a small powershell local script to check for locked accounts :

github.com

chexma/checkmk_plugins/blob/master/local-scripts/check_locked_ad_accounts.ps1



$allowList = @("aeckstein", "user2", "user3")
$UserSearchBase = "" # "CN=Users,DC=home,DC=intra" 
$warn = 2
$crit = 5

####

# Import the Active Directory module
Import-Module ActiveDirectory


if ($UserSearchBase) {
    $lockedUsers = Get-ADUser -Filter * -Properties LockedOut -SearchBase $UserSearchBase | Where-Object {$_.Enabled -like "*true*" } | Select-Object -Property SamAccountName
} else {
    $lockedUsers = Get-ADUser -Filter * -Properties LockedOut | Where-Object {$_.Enabled -like "*true*" } | Select-Object -Property SamAccountName
}

# Initialize an empty string to store locked account information

This file has been truncated. show original

Just copy that script in the local directory on the domain controller.

fbotte · April 19, 2024, 6:04am

Hi Andre,

thanks for the script. I have to adapt it a little because i want to check for specific accounts but that should be doable even for a non windows guy.

cheers
Frank

j_Lowe · February 5, 2025, 7:13pm

This script is identifying All of my accounts as locked, including the one I’m logged in as, obviously not locked.
“There are currently 113 locked accounts”
It is not checking for whether “LockedOut” is true, just that the object exists. Which it does for 113 users, with the value of “False”. It then checks that “.Enabled” is true, ie the accounts aren’t DISABLED, then reports every account to powershell.

When I add a “Where-Object {$_.LockedOut -like “true” } |” to the check command, it seems to choke the whole script as there’s no output.

Likewise using the simpler “Search-ADAccount -LockedOut” command breaks it, as it’s expecting Some level of output/some users, so errors in checkmk with “locked_count=1 check failed - please submit a crash report! (Crash-ID: 0dd4a158-e3f4-11ef-896b-0050568ff54f)”

That may be trappable.

I’m far from a powershell scripter, but I’m working on it, so far unsuccessfully (see prior "not a powershell scripter

That all said, am I missing something obvious here? Using the script as is returns 113 locked users, every user on the system is then listed in checkmk as “locked”

j_Lowe · February 7, 2025, 3:16pm

Here’s a script we did that will monitor for account lockouts:

$lockedAccounts = Search-ADAccount -LockedOut | Where-Object {$_.Enabled -eq $true } | Select-Object -ExpandProperty Name
$lockedAccountsCount = $lockedAccounts.Count
$lockedAccountsString = $lockedAccounts -join ","

$warn = 1
$crit = 5

if ($lockedAccountsCount -eq 0) {
    $statuscode = 0
    $statustext = "There are no locked accounts present in Active Directory."
} else {
    if ($lockedAccountsCount -gt $crit) {
    $statuscode = 2
    } elseif ($lockedAccountsCount -ge $warn) {
    $statuscode = 1
    }
    $statustext = "There are currently $lockedAccountsCount locked accounts: $lockedAccountsString"
}
Write-Output "Lockedusers are: $LockedUsers"
Write-Output "<<<local>>>"
Write-Output "$statuscode LockedUsers locked_count=$lockedAccountsCount $statustext"

r.sander · February 8, 2025, 5:46am

Remove these two lines and put the script in the local folder.

j_Lowe · February 8, 2025, 11:40pm

@r.sander why?
I did copy the prior guy’s post, and those are left over from that, seems to be working just fine.

Ahhh, gotcha, the statuscode line is all that’s needed, those are just being dropped anyway aren’t they.
Will delete them next time I’m in there, thanks for the advice, I appreciate it. If/when I’m writing more of these I’ll look more more into the proper writing. As is this is just a minor side project, time allocation-wise.

Thanks again.

r.sander · February 9, 2025, 11:38am

A Local Check script is only allowed to output the lines with the status, nothing else.

If a section header is the first line of the output, it’s an agent plugin and belongs into the plugins directory.

The first line is output that never must be generated as it messes with the previous agent data section.