September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.9. Finding Locked Out Users
Problem
You want to find users that are locked out.
Solution
Using a command-line interface
The following command finds all locked-out users in the domain of the specified domain controller:
> unlock <DomainControllerName> * -viewTip
Unlock.exe was written by Joe Richards (http://www.joeware.net/) and can be
downloaded from http://www.joeware.net/win32/zips/Unlock.zip.
Discussion
Finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query similar to the one to find disabled users, but unfortunately, it is not that easy.
The lockoutTime attribute is populated with a
timestamp when a user is locked. One way to find locked out users
would be to find all users that have something populated in
lockoutTime (i.e.,
lockoutTime=*). That query would definitely find
all the currently locked users, but it would also find all the users
that were locked, became unlocked, and have yet to log in since being
unlocked. This is where the complexity comes into place.
To determine the users that are currently locked out, you have to
query the lockoutDuration attribute stored on the
domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. We need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. We can then ...