Finding Locked Out Users






Finding Locked Out Users

Problem

You want to find users whose accounts are locked out.

Solution

Using a command-line interface

The following command finds all locked out users in the domain of the specified domain controller:

	> unlock <DomainControllerName> * -view

Discussion

Despite the deceptively simple command just shown, finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query using DSQuery or AdFind (similar to the one to find disabled users in Recipe 6.17), but unfortunately it is not that easy.

The lockoutTime attribute is populated with a timestamp when a user is locked. One way to find locked out users would be to find all users that have something populated in lockoutTime (i.e., lockoutTime=*).That query would definitely find all the currently locked users, but it would also find all the users that subsequently became unlocked and have yet to log in since being unlocked; the lockoutTime attribute doesn't get reset until the next time the user logs on successfully. This is where the complexity comes into place.

To determine the users that are currently locked out, you have to query the lockoutDuration attribute stored on the domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. You need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. You can then compare this timestamp with the lockoutTime attribute of the user object. The search filter to find all locked users once you've determined the locked timestamp would look something like this:

	(&(objectcategory=Person)(objectclass=user)(lockoutTime>DerivedTimestamp))

For any users that have a lockoutTime that is less than the derived timestamp, their account has already been automatically unlocked per the lockoutDuration setting.

None of the current standard GUI or CLI tools incorporates this kind of logic, but fortunately Joe Richards wrote the unlock.exe utility, which does. And as its name implies, you can also unlock locked accounts with it. Thanks, Joe!

See Also

MS KB 813500 (Support WebCast: Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows