Use the AD mmc to find locked out accounts
AD mmc is a nifty tool to do your daily AD objects management. I have seen since not using this tool at full capacity. What a waste. Beside managing all the objects of your domains, did you know it can also save queries?
A usefull query is to find out accounts that are locked out.
Just open the Active Directory Users and Computers console, right-click on Saved Queries in the console tree and select New –> Query. Type a name and description for the query, specify a query root (where in your namespace your query begins searching), and click the Define Query button. Since there’s no default option for finding locked-out accounts in the Common Queries box, select Custom Search instead to open the Find Custom Search box. Then select the Advanced tab and enter the following LDAP string in the Enter LDAP Query textbox:
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
Alternatively there is the command line way:
dsquery is a power command line query tool, to find everything about your AD objects.
dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))”
will find out all the locked out accounts on your domain.
Tips: You will get a full DN list with this command. You can make the output more readable piping the command with DSget.
dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))” | dsget user -samid
will give you only their names!
Wasim said:
Hello Friend,
I tried using custom query, but the result was not at all accurate. what can be the reason? non of the listed accounts was locked out.
Thanks.
Florian said:
Wasim, the query is only run againts the DC you are connected to. It will not query all the DC when your account may be locked at. To make sure, you will have to connect to another DC and run the same query again or wait for the account lock out information to replicate to the DC you are connected to.