O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

6.9. Finding Locked Out Users

Problem

You want to find users that are locked out.

Solution

Using a command-line interface

The following command finds all locked-out users in the domain of the specified domain controller:

> unlock <DomainControllerName> *  -view

Tip

Unlock.exe was written by Joe Richards (http://www.joeware.net/) and can be downloaded from http://www.joeware.net/win32/zips/Unlock.zip.

Discussion

Finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query similar to the one to find disabled users, but unfortunately, it is not that easy.

The lockoutTime attribute is populated with a timestamp when a user is locked. One way to find locked out users would be to find all users that have something populated in lockoutTime (i.e., lockoutTime=*). That query would definitely find all the currently locked users, but it would also find all the users that were locked, became unlocked, and have yet to log in since being unlocked. This is where the complexity comes into place.

To determine the users that are currently locked out, you have to query the lockoutDuration attribute stored on the domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. We need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. We can then ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required