6.9. Finding Locked Out Users
Problem
You want to find users that are locked out.
Solution
Using a command-line interface
The following command finds all locked-out users in the domain of the specified domain controller:
> unlock <DomainControllerName
> * -view
Tip
Unlock.exe
was written by Joe Richards (http://www.joeware.net/) and can be
downloaded from http://www.joeware.net/win32/zips/Unlock.zip.
Discussion
Finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query similar to the one to find disabled users, but unfortunately, it is not that easy.
The lockoutTime
attribute is populated with a
timestamp when a user is locked. One way to find locked out users
would be to find all users that have something populated in
lockoutTime
(i.e.,
lockoutTime=*
). That query would definitely find
all the currently locked users, but it would also find all the users
that were locked, became unlocked, and have yet to log in since being
unlocked. This is where the complexity comes into place.
To determine the users that are currently locked out, you have to
query the lockoutDuration
attribute stored on the
domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. We need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. We can then ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.