How can you identify disabled and locked domain users before launching a password spray attack?

Disabled users are identified by the `ACCOUNTDISABLE` flag (bit 0x0002) in `userAccountControl`. Locked users are detected by checking the `badPwdCount` and `lockoutTime` attributes rather than the LOCKOUT flag (bit 0x0010), which is unreliable. For example, with PowerView you can run `Get-NetUser | select name,badPwdCount,lockoutTime` to see locked accounts. This filtering is critical before using tools like `DomainPasswordSpray`.