Which tool pulls information about locked-out accounts from Active Directory?

The concept here is using a tool that directly reports on the lock state of user accounts in Active Directory by reading the lockout information stored on account objects. Active Directory stores a lockoutTime attribute for accounts that have been locked due to failed logon attempts, and a specialized utility that queries domain controllers to list accounts with a non-zero lockoutTime is the simplest and most direct way to pull this information. That tool is designed specifically to identify and present locked-out accounts, giving you a clear view of who is currently locked (and sometimes when the lock occurred), without requiring manual LDAP filtering or sifting through policy details. This makes it the best fit for quickly auditing locked accounts across a domain. In contrast, net accounts only shows domain password and lockout policies (like threshold and duration) and does not enumerate individual locked accounts. dsget can retrieve attributes from AD, including lockout-related ones, but it requires crafting specific queries and is not as directly focused on listing all locked accounts. adfind can perform LDAP searches for the lockoutTime attribute, but again it requires you to build and run the right query and interpret the results yourself. The dedicated lockout-status tool streamlines this task and provides the needed information with less setup.