none
locked accounts in AD RRS feed

  • Question

  • Hi,

    can anyone tell me how to list all locked user accounts in AD?  I have tried using the saved query feature in server 2003 to query Active Directory for any locked-out accounts and it does give me a list of users but when I look at the users individual properties it does not show the account as locked!

    Any help would be great.

    thanks!
    Tuesday, June 2, 2009 9:58 AM

Answers

  • Hi there you need to look at userAccountControls http://support.microsoft.com/kb/305144 This can be added to a script to return all locked users. Do you need the script as well?
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Tuesday, June 2, 2009 10:35 AM
  • Hello,

          Please try this LDAP query.

    (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

    Or Please see this link for Scripts.


    http://www.microsoft.com/technet/scriptcenter/resources/qanda/nov08/hey1120.mspx


    http://technetfaqs.wordpress.com
    Tuesday, June 2, 2009 10:46 AM
  • To be exact, this query will return both accounts that are currently locked - as well as those that have been automatically unlocked following the expiration of the "Account lockout duration" period (but the corresponding user has not logged on yet). One way to resolve this (assuming that you are operating with the Windows Server 2003-based environment), is to extract the value of msDS-User-Account-Control-Computed attribute as part of your LDAP query, and filter out the outcome based on its value (LOCKED)

    hth
    Marcin

     

    Tuesday, June 2, 2009 11:26 AM
  • Hello munich99,

    check out one of the really helpful and easy to use tools from joeware.net:
    http://www.joeware.net/freetools/tools/unlock/index.htm
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 2, 2009 10:05 PM

All replies

  • Hi there you need to look at userAccountControls http://support.microsoft.com/kb/305144 This can be added to a script to return all locked users. Do you need the script as well?
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Tuesday, June 2, 2009 10:35 AM
  • Hello,

          Please try this LDAP query.

    (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

    Or Please see this link for Scripts.


    http://www.microsoft.com/technet/scriptcenter/resources/qanda/nov08/hey1120.mspx


    http://technetfaqs.wordpress.com
    Tuesday, June 2, 2009 10:46 AM
  • Hi Chris,

    thanks for your reply.  Do you have the script as well please?

    cheers
    Tuesday, June 2, 2009 11:15 AM
  • To be exact, this query will return both accounts that are currently locked - as well as those that have been automatically unlocked following the expiration of the "Account lockout duration" period (but the corresponding user has not logged on yet). One way to resolve this (assuming that you are operating with the Windows Server 2003-based environment), is to extract the value of msDS-User-Account-Control-Computed attribute as part of your LDAP query, and filter out the outcome based on its value (LOCKED)

    hth
    Marcin

     

    Tuesday, June 2, 2009 11:26 AM
  • Hello munich99,

    check out one of the really helpful and easy to use tools from joeware.net:
    http://www.joeware.net/freetools/tools/unlock/index.htm
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 2, 2009 10:05 PM