lock AD user
-
Saturday, December 29, 2012 11:37 AMcan we lock AD User without GPO...
- Edited by biplob9s Saturday, December 29, 2012 11:38 AM
All Replies
-
Saturday, December 29, 2012 11:50 AM
Hello,
What do you mean by that?
MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!
-
Sunday, December 30, 2012 6:40 AMClient request. They want to lock AD user not Disable!!!
-
Sunday, December 30, 2012 7:31 AM
can you explain a little more? give an example?
"lock", do you mean "prevent the user account from being used"? isn't this what "disable" is for?
do you mean, you need a solution which does not use Domain GP, because the workstations are not Domain members?
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)- Edited by Don - tesgroupMicrosoft Community Contributor Sunday, December 30, 2012 7:31 AM
-
Sunday, December 30, 2012 8:21 AM
user hand have a group policy three times press wrong password user automatically lock.
but client want to lock user without any policy.
-
Sunday, December 30, 2012 10:26 AM
user hand have a group policy three times press wrong password user automatically lock.
ok, this is the "account lockout" feature, when enabled, it is automatic detection and lockout (to prevent intruders)
http://technet.microsoft.com/en-us/library/hh994566(v=ws.10).aspx
but client want to lock user without any policy.
so how & when would the "lock" be needed/applied?
who would trigger this "lock"?
is it that you need to prevent further use of this "locked" account? or some other feature?
would an AD admin perform the "lock" using ADUC or ADAC or similar tools?
or some other person needs to perform the "lock"?a user account can exist in several different statuses - I am not sure which status you are needing, so it's difficult to advise you.
is the example/scenario, where a user no longer works at the company? or some temporary "lock" for a few days? hours?Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Sunday, December 30, 2012 11:39 AM
lock will be applied few days or hours. have any tools to lock any user.
-
Sunday, December 30, 2012 11:55 AM
well, the simplest way to trigger an account lockout condition, is to supply an incorrect password enough times.lock will be applied few days or hours. have any tools to lock any user.
this assumes you have enabled account lockout settings for your domain, and that the account lockout duration set for the domain, is an acceptable period for your scenario.Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Sunday, December 30, 2012 1:09 PM
Hi Biplob9s,
We cannot manually/forcefully locked active directory account it will locked through GPO only.
But we can disable/enable with the following steps:
net user /Active:YES <username>
"YES" for enable
"NO" for disable
Following tool will unlock account manually.
After installation you will find “lockoutstatus.exe” under “C:\Program Files (x86)\Windows Resource Kits\Tools”
Optional tool to unlock AD account:
http://www.dovestones.com/locate-active-directory-locked-accounts/
Regards,
MD Disclaimer: The opinion expressed herein are my own knowledge. Deploy this at your own risk. Whenever you see a helpful reply, just click on “Propose As Answer”
- Edited by Mubasshir Dadarkar Monday, December 31, 2012 5:08 AM
- Proposed As Answer by i.biswajith Monday, December 31, 2012 9:52 AM
- Marked As Answer by Vivian_WangMicrosoft Contingent Staff, Moderator Monday, January 14, 2013 3:26 AM
-
Monday, December 31, 2012 9:21 AM
thanks Mubasshir............ may i also think like you.
.png)
