Larry’s Things .net

good article:

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

Most websites refer to using the ldap command :

However, this I believe is incorrect…  as the lockouttime value is always greater than one even after the lockout time has expired.  Only after a user has attempted to log on after the lockout time will  it be reset to zero.   Refer to this microsoft link and the notes:  http://msdn.microsoft.com/en-us/library/ms676843(VS.85).aspx

You’ll need to write code to deal with the values lockouttime and lockoutduration and current time.

Super easy way is to use powershell and install the free cmdlet from Quest software called ActiveRoles Management Shell for Active Directory.   The use the powershell to give the command:

get-qaduser -locked

which will just list through all users that are currently locked.

Note:   powershell requires that .net 2 and above be installed.

This entry was posted on Tuesday, June 8th, 2010 at 14:14 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.