Show locked-out accounts

J

jallen

Is there a way to make AD show locked out accounts the way
NT4 Server Manager did? Looking for a way to tell at a
glance if any accounts are locked out. Thanks.
 
R

Richard Moreno

There's no GUI based format with the built-in tools however on the 2003
platform MS did implement it as an additional download. Unless 3rd party
vendors have a GUI for it you'll have to revert to scripting.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.
 
J

jallen

Thanks.
-----Original Message-----
There's no GUI based format with the built-in tools however on the 2003
platform MS did implement it as an additional download. Unless 3rd party
vendors have a GUI for it you'll have to revert to scripting.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.






.
Click to expand...
 
S

Simon Geary

You don't need a download for Windows Server 2003 to check this. The new
Saved Queries function in AD Users & Computers has a built in query to show
all locked out/disabled accounts and this lists them all in the MMC window,
very useful indeed.
 
S

Simon Geary

And I forgot to mention, if you install a Windows Server 2003 member server
in a Windows 2000 domain and then install the admin tools this new feature
will be available to you. Not all the queries work on a 2000 domain but this
one does.
 
J

Joe Richards [MVP]

They have disabled but I don't think they have locked out, but it has been a bit since I looked.
 
J

Joe Richards [MVP]

Server Manager didn't show locked out user ids.

However if you want the quickest way to find all locked out accounts in a domain, check out unlock which is on the free
win32 tools page of www.joeware.net. It is a command line tool that is the fastest method you will find to get a list of
locked out IDs.

joe
 
S

Simon Geary

Ah, you're right. Some of my accounts were locked out and disabled which
caught me out. It shouldn't be too difficult to create a custom query for
account lockouts so they can be viewed in ADU&C, should just be a case of
copying the query string for disabled accounts and changing =2 to =16, if
I'm reading this MSDN article right!
 
J

Joe Richards [MVP]

It isn't right. You have to do a complex calculation on the lockoutTime attribute. Google for this and you will find
tons of posts.

--
Joe Richards
www.joeware.net
 
U

Ulf B. Simon-Weidner

They have disabled but I don't think they have locked out, but it has been a bit since I looked.
Click to expand...
Hi Joe,

you are right that the saved queries do not provide the locked out users as
predefined, but it's possible to create a standard LDAP-Query showing the
information:
new query -> define query -> select "custom search" from the drop-down list ->
Advanced tab.

A query for locked out users would be
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

cause:
lockoutTime = <not set> : user has never locked himself out
lockoutTime = 0 : user has been unlocked by an administrator
lockoutTime = any number: user is locked, attribute states the time

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO 1
NT4 server lockout policy in win2k domain 3
Question on GPO- Urgent 11
E-mail notification of locked out account 1
Firefox Multi-Account Containers 1
Unlock Password Taskpad View? 5
user accounts being periodically locked out 1
Accounts locked out randomly 3

Top