Recipe 6.9 Finding Locked Out Users

6.9.1 Problem

You want to find users that are locked out.

6.9.2 Solution

6.9.2.1 Using a command-line interface

The following command finds all locked-out users in the domain of the specified domain controller:

> unlock <DomainControllerName> *  -view

Unlock.exe was written by Joe Richards (http://www.joeware.net/) and can be downloaded from http://www.joeware.net/win32/zips/Unlock.zip.

6.9.3 Discussion

Finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query similar to the one to find disabled users, but unfortunately, it is not that easy.

The lockoutTime attribute is populated with a timestamp when a user is locked. One way to find locked out users would be to find all users that have something populated in lockoutTime (i.e., lockoutTime=*). That query would definitely find all the currently locked users, but it would also find all the users that were locked, became unlocked, and have yet to log in since being unlocked. This is where the complexity comes into place.

To determine the users that are currently locked out, you have to query the lockoutDuration attribute stored on the domain object (e.g., dc=rallencorp,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming automatically unlocked. We need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. We can then compare this timestamp with the lockoutTime attribute of user objects. The search filter to find all locked users once you've determined the locked timestamp would look something like this:

(&(objectcategory=Person)(objectclass=user)(lockoutTime>DerivedTimestamp))

For any users that have a lockoutTime that is less than the derived timestamp, their account has already been automatically unlocked per the lockoutDuration setting.

None of the current standard GUI or CLI tools incorporate this kind of logic, but fortunately, Joe Richards wrote the unlock.exe utility, which does. And as its name implies, you can also unlock locked accounts with it as well. Thanks, Joe!

6.9.4 See Also

MS KB 813500 (Support WebCast: Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List