Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
One of the most common tasks Windows admins face is to unlock user accounts that have been locked out automatically because the user has exceeded the bad password count. The common way to perform this task is to navigate to the user account in the Active Directory Users and Computers (ADUC) console. If you have to do this once per week or so, then this method is acceptable. But help desk staff in large organizations might prefer the LockoutStatus tool, which belongs to the Microsoft's Account Lockout and Management Tools (included in the Windows Server 2003 Resource Kit Tools).
The Account Lockout and Management Tools were published in 2003, but they still work with Windows 7 and Windows Server 2008 R2. Aside from the LockoutStatus tool, the acctinfo.dll is the other tool in the collection that is still useful. I won't discuss the other utilities here because I find them less useful. The download page has a short description of each tool.
LockoutStatus allows you to quickly access lockout-relevant status information of a user account and unlock it if necessary. After you launch LockoutStatus, you have to select the target—that is, the user that you want to unlock—by specifying the Active Directory domain and the user name. The tool will then display the user state (whether the account is locked or not), the bad password count, when the last bad password was entered, when the password was last set, the lockout time, and which domain controller locked the account.
Right-clicking the account enables you to unlock the account and also to reset the password, which makes sense because the user most likely has just forgotten the password.
Acctinfo (32-bit) and Acctinfo2 (64-bit) ^
The Acctinfo.dll adds a new property page to the user account properties in ADUC, which displays further useful account lockout status information. In addition to the information in the LockoutStatus tool, you can view the user's last logon and logoff time and how often the user has successfully logged on. Also useful is that you can check the Domain Password Policy. If the user claims to only have entered the wrong password once, you can quickly view the maximum bad password count setting (among other related settings) of your domain.
To add the new property page, you have to copy the acctinfo.dll file to %windir%\system32 and then register the DLL at a command prompt: regsvr32 acctinfo.dll. If you also copy lockoutstatus.exe to %windir%\system32, you can access the LockoutStatus tool from the user's property page.
Unfortunately, the acctinfo.dll only works on 32-bit systems. If you try to register acctinfo.dll on a 64-bit system, you will get the error message: "The module of this "acctinfo.dll" may not be compatible with the version of Windows you are running." There is an acctinfo2.dll floating around the Internet that supports 64-bit. The installation is a bit more cumbersome than on a 32-bit system, but the ZIP file comes with an easy-to-follow, step-by-step guide. I have tried it on a Windows Server 2008 R2 machine and it worked fine.
Please note that this Acctinfo2 is not officially supported by Microsoft. I wasn't able to track down the source of this version of Acctinfo, although many sites link to the download file. VirusTotal didn't find malware code in it, but of course this is no guarantee.
Please also note that Microsoft warns of using Acctinfo on servers that host network applications or services. It is safer to use it on your desktop with RSAT.