Active Directory Account Lockout Troubleshooting
Written by admin on June 17, 2010 – 2:24 pm -If you are troubleshooting why an Active Directory account is being locked out randomly or if you need additional password information for a specific account then there is a great free utility you can use that will help you. The tool is part of the Windows 2003 Resource Kit and can be downloaded from the Microsoft site. Once you download the Resource Kit, the specific utility you want is called acctinfo.dll. Copy acctinfo.dll from the location of the Resource Kit install (by default: C:\Program Files\Windows Resource Kits\Tools) to the system32 folder (C:\WINDOWS\system32). After you copy the file then run this command to register the dll - regsvr32 c:\windows\system32\acctinfo.dll
The tool is now installed and can be accessed from Active Directory Users and Computers snap-in. When you view the properties of a user there will now be a new tab called Additional Account Info.
When you click on the tab, you will see a ton of information that was not previously available, at least not easily available. The fields you will see are Password Last Set, Password Expires, whether the account is currently locked out or not, Last-Logon-Timestamp, SID, GUID. You will also see the Last Logon and Last Logoff time, the Last Bad Logon time, the number of times that user has logged onto the domain under Logon Count, and then the current Bad Password Count. Keep in mind that the Bad Password Count will reset according to the password policy in effect on the domain. Also, if you click the Domain PW Info… button you will see the Domain Password Policy.
There is a great deal of information available with this utility and it is great for tracking down annoying lockout issues. Using the Last Bad Logon information, you can think about what scheduled tasks might be running at that time that is using a certain account with an old expired password, possibly a service account running a scheduled job. Hopefully you found this information useful and please take time to review our other articles. Additionally, if this article has helped you then please feel free to link back to it or to the ConfigHelper site.
Tags: account lockout, acctinfo.dll, Active Directory, bad password, last logon, windows resource kit
Posted in Active Directory, Software Configuration, Windows | 4 Comments »
4 Responses
to “Active Directory Account Lockout Troubleshooting”
1 Trackback(s)
- Jul 2, 2010: Global Address List Not Updating Exchange Cached Mode Enabled
By MarcJ on Jun 28, 2010 | Reply
Hi,
Thanks for your helpful post – do you happen to know whether the Last-Logon-Timestamp displayed by the AcctInfo tool takes into account the value on all domain controllers, or just one one DC? I’ve been looking for a free True-Last-Logon tool for a long time, so if you know the answer to this question, would really appreciate you letting me know.
I run a blog on a a href=”http://free-activedir-tools.blogspot.com”>Free Active Directory Reporting Tools and I would be happy to share your answer on my blog so it could help the entire community.
Thanks, and look forward to hearing from you soon.
Ciao,
Marc
By admin on Jun 28, 2010 | Reply
The Last-Logon-Timestamp is replicated across all domain controllers on Windows 2003 and newer domain controllers. On Windows 2000 the Last-Logon-Timestamp was local to each domain controller and was not replicated. Hope this clears it up for you. Thanks for stopping by.
By Shanmugam on Jun 29, 2010 | Reply
It is helpful to be able to check the last bad password and instantly query the audit failure log occurred at the bad password time…
Here is a free tool you could use for that:
http://lockoutfixer.cz.cc