pspete
commented
4 years ago You are right - Get-PASAccount does not show if an account is locked or not, the data is not returned as far as I am aware.
You do get notified via an error if you attempt to perform an action (Set-PASAccount/Invoke-PASCPMOperation/Get-PASAccountPassword) on account which is locked by another user.
A locked account cannot be deleted, so would expect this to be reported back, it just depends on what the API responds with (exception or success code).
Currently Get-PASAccount doesnt help me know if the account is Locked/Checked out I can do some fuzzy logic from data from Get-PASAccountActivity so long as an account is exclusive, and there has been a read, without an release (unlock), it must be locked/Checked out...
A close parallel issue... When I do a remove-pasaccount of an account that is locked, I get no error from the module (i haven't check the invoke, but the module has been pretty solid about passing errors up) however the remove does not remove the account. This could be a bug somewhere, and if you think it is, ill create a proper bug report for it. (I only hesitate, because most of my mis-expectations of the module stem from CyberArks API limitations)