Lockoutstatus.exe

[LAS]

A user account has been locked out. Opening the
LockOutStatus tool shows the user status as "not locked
(AutoUnlock)," and the Unlock Account option is not
available. Looking in the active users and computers
shows the account as locked out. Does the Auto Unlock
disable the ability to unlock an account using the
LockOutStatus tool?

 

[Joe Richards [MVP]]

There is a bug in ADUC where it incorrectly shows an account locked that isn't
really locked. The attribute that controls locking is a time stamp of when the
lock occurred. The proper way to see if an account is unlocked is to check that
time stamp, compare it to the current time and check how long accounts are
supposed to be locked for. If a user's lockout time has expired but they haven't
logged in and an admin has not unlocked their account, ADUC and many other tools
and scripts will incorrectly show the account locked because they simply check
for a value in lockoutTime attribute, not check the value.

joe

 

[LAS]

Thanks for the response Joe. In my particular case, I
believe the account is truly locked. I tested it by
purposefully entering incorrect passwords until the
account was locked out. Then I ran the LockOutStatus tool
and it indicated the account was unlocked(AutoUnlocked).
It also did not make the "unlock account" available. I
don't understand it.

 

[Joe Richards [MVP]]

If you have mutliple DCs it is possible that the lock hadn't replicated yet.

I have a tool on my website which is pretty handy too, it is a command line tool
called unlock. It is in the free win32 tools page of www.joeware.net, check it
out. Even if an account IS unlocked due to timeout of the lockout time you can
force a zero into lockoutTime if you prefer. I had several requests for that
because people just wanted to be able to do it.


joe