 |
On Thu, 3 Jul 2008 10:19:58 +0200, "Jorge de Almeida Pinto [MVP - DS]" <...@gmail.com
try
ADFIND -default -f
"(&(objectCategory=person)(objectClass=user)(&(lockoutTime=*)(!(lockoutTime=0))) )"
-dn
adfind can be downloaded from joeware.net
an account is NOT locked if the lockoutTime value is empty or zero. It is
locked if it contains a non-zero value
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--BLOG (RSS-FEEDS)--------------------------------------------------------------------- -----------------------
* How to ask a question -------------------------------------------------------------------------------- ------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
-------------------------------------------------------------------------------- ----------
#################################################
#################################################
-------------------------------------------------------------------------------- ----------
"tree leafs" <...@TK2MSFTNGP04.phx.gbl...
|
|
On Thu, 3 Jul 2008 08:53:23 -0400, "Dean Wells \(MVP\)" <...@maskmsetechnology.com
"Jorge de Almeida Pinto [MVP - DS]"
<...@TK2MSFTNGP05.phx.gbl...
<snipped for brevity
A minor addition to Jorge's answer but an important distinction
nonetheless. I've encountered a commonplace scenario where the
'lockOutTime' alone is insufficient to indicate the 'Account Locked
Out' status for a particular user. It occurs when an account IS
locked out, the lockout period elapses and the user later and
successfully logs on. As a result, I now work on the premise that an
account isn't locked out based exclusively on the value of
'lockOutTime' - the 'badPwdCount' must also be taken into
consideration.
Note the short-hand example query below that disregards 'badPwdCount'
(word-wrap will bend the ADfind syntax a bit) -
C:\sAMAccountName
dn:CN=Guest,CN=Users,DC=mset,DC=local
dn:CN=Steve,OU=MSET,DC=mset,DC=local
2 Objects returned
... only the 'Guest' account is truly locked. So we repeat the query
just a few seconds later but incorporte 'badPwdCount' in the
returned attribute set -
C:\sAMAccountName badPwdCount
dn:CN=Guest,CN=Users,DC=mset,DC=local
dn:CN=Steve,OU=MSET,DC=mset,DC=local
2 Objects returned
... note that the second account listed has no 'badPwdCount' value which
is why it wasn't returned -- the account's not locked either. Taking
this into consideration -- in order to truly determine whether an
account is locked or not, we must incorporate an additional component in
the filter -
C:\"(&(objectCategory=user)(lockoutTime
dn:CN=Guest,CN=Users,DC=mset,DC=local
1 Objects returned
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
|
|
On Thu, 3 Jul 2008 15:12:59 +0200, "Jorge de Almeida Pinto [MVP - DS]" <...@gmail.com
that's a good catch, had not thought about that scenario
thanks
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--BLOG (RSS-FEEDS)--------------------------------------------------------------------- -----------------------
* How to ask a question -------------------------------------------------------------------------------- ------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
-------------------------------------------------------------------------------- ----------
#################################################
#################################################
-------------------------------------------------------------------------------- ----------
"Dean Wells (MVP)" <...@TK2MSFTNGP06.phx.gbl...
|
|
On Thu, 3 Jul 2008 08:29:26 -0500, "Richard Mueller [MVP]" <...@ameritech.nospam.net
"Dean Wells (MVP)" <...@TK2MSFTNGP06.phx.gbl...
<snipped for brevity
The badPwdCount is not replicated. Does adfind take this into account? Also,
if (lockoutTime=*) and (!lockoutTime=0) won't you get users that were locked
out, but where the domain lockoutDuration has expired and the user had not
yet logged in?
The method I use requires a script. I retrieve all users where
(&(lockoutTime=*)(!lockoutTime=0)). Then I retrieve the domain
lockoutDuration. The account is locked out if (lockoutTime +
lockoutDuration) < Now. Otherwise the user is not locked out. Actually the
lockoutDuration value is negative, but you get the idea. All both attributes
are Integer8.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
|
|
On Thu, 3 Jul 2008 10:19:21 -0400, "Dean Wells \(MVP\)" <...@maskmsetechnology.com
"Richard Mueller [MVP]" <...@ameritech.nospam.netmessage news...@TK2MSFTNGP04.phx.gbl...
No, it doesn't (at least the syntax I provided doesn't) and, you're
right -- that's a great point. I focused on the fact that 'lockoutTime'
alone is insufficient but even 'badPwdCount' falls way short ...
further, even checking it against the PDC would 1] be potentially
inconclusive and, well ... therefore inconclusive :0) and 2] only
indicate that the account was once locked-out, not that it remains so
(since NOT being locked-out doesn't require that a successful logon had
later occurred which would be necessary for the 'badPwdCount' to be
reset on the authenticating DC.)
Why not (lockoutTimequery-load?
Nod, I have two such scripts; one may even be yours.
For those now confused by mine (and I think Jorge's) apparent
brain-fart(s), the simple conclusion is: "yeah, what Richard said".
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
|
|
On Thu, 3 Jul 2008 16:26:29 +0200, "Jorge de Almeida Pinto [MVP - DS]" <...@gmail.com
and Dean even made a larger mess out of what I said. He knows, but of course
won't acknowledge he wrong-er than anyone else ;-))
Probably Richard already had his coffee. Gonna get some quickly
So, yeah, what Richard said! ;-)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--BLOG (RSS-FEEDS)--------------------------------------------------------------------- -----------------------
* How to ask a question -------------------------------------------------------------------------------- ------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
-------------------------------------------------------------------------------- ----------
#################################################
#################################################
-------------------------------------------------------------------------------- ----------
"Dean Wells (MVP)" <...@TK2MSFTNGP04.phx.gbl...
|
|
On Thu, 3 Jul 2008 11:31:35 -0400, "Dean Wells \(MVP\)" <...@maskmsetechnology.com
"Jorge de Almeida Pinto [MVP - DS]"
<...@TK2MSFTNGP06.phx.gbl...
<snip
You see Princess - I'm even better at being 'wrong' than you are :-p
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
|
|
On Thu, 3 Jul 2008 10:50:23 -0500, "Richard Mueller [MVP]" <...@ameritech.nospam.net
Unfortunately, this means one query won't get accurate results. However, now
that I'm on my third cup of coffee, I remember dealing with this a few
months back. I actually posted a VBScript solution on my web site here:
http://www.rlmueller.net/FindLockedOutUsers.htm
You actually can retrieve all locked out users in one query, but you must
calculate an Integer8 value first. The query filter I use in the above
program is:
strFilter = "(&(objectCategory=person)(objectClass=user)(lockoutTime & str64Bit & "))"
where str64Bit is the current time (converted to UTC) less the domain
lockoutDuration in 100-nanosecond intervals. Since the calculation requires
a script, it still means you can't do the query without using a script.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
|
|
On Thu, 3 Jul 2008 12:10:14 -0400, "Dean Wells \(MVP\)" <...@maskmsetechnology.com
"Richard Mueller [MVP]" <...@ameritech.nospam.netmessage news...@TK2MSFTNGP02.phx.gbl...
Nod, that's the same approach as I've got here ... quite difficult to
handle in batch though :0/
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
|
|
On Thu, 3 Jul 2008 16:35:48 -0500, "Joe Kaplan" <...@removethis.accenture.com
One thing you can do to be sure is look for accounts that have a non-zero
lockoutTime and then get msds-userAccountControlComputed to check for the
locked bit on it. It will actually check against the current lockout policy
(unlike the actual userAccountControl) attribute. It can help eliminate
false positives and the additional complexity of FGPPs in 2008 server.
Note that since it is computed, you must return the value and then do the
masking on it to check for the lockout bit, you can't put that in the
filter. I'm not sure if ADfind has a handy syntax for filtering the return
results, but it would not surprise me.
Also note that this doesn't work on 2000 DCs, but that's not my problem if
you still have one of those. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dean Wells (MVP)" <...@TK2MSFTNGP04.phx.gbl...
|
|
|