With the free Microsoft utilities LockoutStatus and Acctinfo of the Account Lockout and Management Tools, you can quickly access a user account's lockout status, unlock the account, and reset the password.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

One of the most common tasks Windows admins face is to unlock user accounts that have been locked out automatically because the user has exceeded the bad password count. The common way to perform this task is to navigate to the user account in the Active Directory Users and Computers (ADUC) console. If you have to do this once per week or so, then this method is acceptable. But help desk staff in large organizations might prefer the LockoutStatus tool, which belongs to the Microsoft's Account Lockout and Management Tools (included in the Windows Server 2003 Resource Kit Tools).

Unlock account - Lockout Status

The Account Lockout and Management Tools were published in 2003, but they still work with Windows 7 and Windows Server 2008 R2. Aside from the LockoutStatus tool, the acctinfo.dll is the other tool in the collection that is still useful. I won't discuss the other utilities here because I find them less useful. The download page has a short description of each tool.

LockoutStatus ^

LockoutStatus allows you to quickly access lockout-relevant status information of a user account and unlock it if necessary. After you launch LockoutStatus, you have to select the target—that is, the user that you want to unlock—by specifying the Active Directory domain and the user name. The tool will then display the user state (whether the account is locked or not), the bad password count, when the last bad password was entered, when the password was last set, the lockout time, and which domain controller locked the account.

Right-clicking the account enables you to unlock the account and also to reset the password, which makes sense because the user most likely has just forgotten the password.

Acctinfo (32-bit) and Acctinfo2 (64-bit) ^

The Acctinfo.dll adds a new property page to the user account properties in ADUC, which displays further useful account lockout status information. In addition to the information in the LockoutStatus tool, you can view the user's last logon and logoff time and how often the user has successfully logged on. Also useful is that you can check the Domain Password Policy. If the user claims to only have entered the wrong password once, you can quickly view the maximum bad password count setting (among other related settings) of your domain.

Unlock Account - Domain Password Policy

To add the new property page, you have to copy the acctinfo.dll file to %windir%\system32 and then register the DLL at a command prompt: regsvr32 acctinfo.dll. If you also copy lockoutstatus.exe to %windir%\system32, you can access the LockoutStatus tool from the user's property page.

Unlock Account - acctinfo.dll

Unfortunately, the acctinfo.dll only works on 32-bit systems. If you try to register acctinfo.dll on a 64-bit system, you will get the error message: "The module of this "acctinfo.dll" may not be compatible with the version of Windows you are running." There is an acctinfo2.dll floating around the Internet that supports 64-bit. The installation is a bit more cumbersome than on a 32-bit system, but the ZIP file comes with an easy-to-follow, step-by-step guide. I have tried it on a Windows Server 2008 R2 machine and it worked fine.

Unlock account - acctinfo2 64-bit

Please note that this Acctinfo2 is not officially supported by Microsoft. I wasn't able to track down the source of this version of Acctinfo, although many sites link to the download file. VirusTotal didn't find malware code in it, but of course this is no guarantee.

Please also note that Microsoft warns of using Acctinfo on servers that host network applications or services. It is safer to use it on your desktop with RSAT.

Microsoft's Account Lockout and Management Tools (included in the Windows Server 2003 Resource Kit Tools) ^

Win the monthly 4sysops member prize for IT pros

0
Share
8 Comments
  1. Toky 8 years ago

    Hi there,
    did everything on my Win7 Ent SP1 but I cannot see this Additional Account info.

    I have copied acctinfo.dll to windows\system32, register it, restart PC but no additional tab.
    Any suggestions?

    Thank you in advance.
    Peter

    0

  2. Bjørn 8 years ago

    Tool doesn't work on 64bit OS-versions...

    0

  3. Daz 8 years ago

    This is probably a few months too late but anyway.

    In order to view the Additional Info, you have to navigate to the OU that the account resides in Active Directory.
    Simply searching for the account does not show the Additional Info tab.

    0

  4. Paul 7 years ago

    The "download page" link in the article is no longer working.

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

    I've searched the Microsoft site for alternative links and found several articles referencing them, but they all return dead links.

    0

  5. Alejandro 7 years ago

    The "Microsoft’s Account Lockout and Management Tools" are included in the "Windows Server 2003 Resource Kit Tools" download.

    http://www.microsoft.com/en-us/download/details.aspx?id=17657

    0

  6. Michael Pietroforte 7 years ago

    Thank you! I updated the post.

    0

  7. Raymond Lee 5 years ago

    LockOutStatus no longer work in our Server 2008 R2 environment. It was alright after my boss doing some changes in AD that not letting me know. He has been keeping on try and error in the GPO. I was busy in replacing XP with Win7 and upgrade MSO during the time. It is likely that NTLM V2 that vender the LockOutStatus useless. Faulting module path c:\Windows\syswow64\Kernelbase.dll

    0

  8. Michael Pietroforte 5 years ago

    Raymond, thanks for the info.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account