Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computer Certification > MCSE > Technical Q: Is there a CMD for DSQuery user -lockedout?

Reply
Thread Tools

Technical Q: Is there a CMD for DSQuery user -lockedout?

 
 
djpimpdaddy
Guest
Posts: n/a
 
      07-26-2007
I've been studying for my MCSE now and I am trying to mess around with
some of the command line features more to learn them. I know that you
can quickly get a list of accounts that are disabled via the dsquery
command, but is there any switch or parameter to determine a list of
domain users that have tripped their "retard checkbox", I mean locked
themselves out of the network?

We have a ton of users that seem to think that 6 character passwords
are just too much to remember. I actually suggested to a few of them
to write them down on post it notes. Yes, I know, that was a last
ditch effort for some of these bright bulbs. Company of 80 and about
10+ password resets a day.....help...

I was hoping it would be as simple as:

DSQUERY users -whoops > c:\tards.txt

Joking aside, is there a way to do this? I cannot locate any method in
the book or on Microsoft.

 
Reply With Quote
 
 
 
 
John R
Guest
Posts: n/a
 
      07-26-2007

"djpimpdaddy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I've been studying for my MCSE now and I am trying to mess around with
> some of the command line features more to learn them. I know that you
> can quickly get a list of accounts that are disabled via the dsquery
> command, but is there any switch or parameter to determine a list of
> domain users that have tripped their "retard checkbox", I mean locked
> themselves out of the network?
>
> We have a ton of users that seem to think that 6 character passwords
> are just too much to remember. I actually suggested to a few of them
> to write them down on post it notes. Yes, I know, that was a last
> ditch effort for some of these bright bulbs. Company of 80 and about
> 10+ password resets a day.....help...
>
> I was hoping it would be as simple as:
>
> DSQUERY users -whoops > c:\tards.txt
>
> Joking aside, is there a way to do this? I cannot locate any method in
> the book or on Microsoft.
>


There is no dsquery user switch for what you want. You can find those by
going to help and support, and typing in ...
"directory service" "command-line" dsquery
and then clicking on the link on the left about dsquery : command-line
reference

I've been playing with an LDAP query
(&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
However, that seems to bring up other stuff that isn't actually locked out.

If I can get it to work, I'll post back, or maybe someone else here has done
this before.

John R


 
Reply With Quote
 
 
 
 
djpimpdaddy
Guest
Posts: n/a
 
      07-26-2007
On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
> "djpimpdaddy" <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
>
>
>
>
> > I've been studying for my MCSE now and I am trying to mess around with
> > some of the command line features more to learn them. I know that you
> > can quickly get a list of accounts that are disabled via the dsquery
> > command, but is there any switch or parameter to determine a list of
> > domain users that have tripped their "retard checkbox", I mean locked
> > themselves out of the network?

>
> > We have a ton of users that seem to think that 6 character passwords
> > are just too much to remember. I actually suggested to a few of them
> > to write them down on post it notes. Yes, I know, that was a last
> > ditch effort for some of these bright bulbs. Company of 80 and about
> > 10+ password resets a day.....help...

>
> > I was hoping it would be as simple as:

>
> > DSQUERY users -whoops > c:\tards.txt

>
> > Joking aside, is there a way to do this? I cannot locate any method in
> > the book or on Microsoft.

>
> There is no dsquery user switch for what you want. You can find those by
> going to help and support, and typing in ...
> "directory service" "command-line" dsquery
> and then clicking on the link on the left about dsquery : command-line
> reference
>
> I've been playing with an LDAP query
> (&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
> However, that seems to bring up other stuff that isn't actually locked out.
>
> If I can get it to work, I'll post back, or maybe someone else here has done
> this before.
>
> John R- Hide quoted text -
>
> - Show quoted text -


I thought that I was on to something by enabling Account Auditing and
searching the security log on the DC for event 644 and "failure" or
something like that, but you have to do it on all of your DC event
logs. I even made a mmc with all the dc event logs on it but it still
seems like there should be an easy or automatic way to do this.

 
Reply With Quote
 
catwalker63
Guest
Posts: n/a
 
      07-26-2007
djpimpdaddy <(E-Mail Removed)> prattled ceaselessly in
news:(E-Mail Removed) oups.com:

> On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
>> "djpimpdaddy" <(E-Mail Removed)> wrote in message
>>
>> news:(E-Mail Removed) oups.com...
>>
>>
>>
>>
>>
>> > I've been studying for my MCSE now and I am trying to mess around
>> > with some of the command line features more to learn them. I know
>> > that you can quickly get a list of accounts that are disabled via
>> > the dsquery command, but is there any switch or parameter to
>> > determine a list of domain users that have tripped their "retard
>> > checkbox", I mean locked themselves out of the network?

>>
>> > We have a ton of users that seem to think that 6 character
>> > passwords are just too much to remember. I actually suggested to a
>> > few of them to write them down on post it notes. Yes, I know, that
>> > was a last ditch effort for some of these bright bulbs. Company of
>> > 80 and about 10+ password resets a day.....help...

>>
>> > I was hoping it would be as simple as:

>>
>> > DSQUERY users -whoops > c:\tards.txt

>>
>> > Joking aside, is there a way to do this? I cannot locate any method
>> > in the book or on Microsoft.

>>
>> There is no dsquery user switch for what you want. You can find
>> those by going to help and support, and typing in ...
>> "directory service" "command-line" dsquery
>> and then clicking on the link on the left about dsquery :
>> command-line reference
>>
>> I've been playing with an LDAP query
>> (&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
>> However, that seems to bring up other stuff that isn't actually
>> locked out.
>>
>> If I can get it to work, I'll post back, or maybe someone else here
>> has done this before.
>>
>> John R- Hide quoted text -
>>
>> - Show quoted text -

>
> I thought that I was on to something by enabling Account Auditing and
> searching the security log on the DC for event 644 and "failure" or
> something like that, but you have to do it on all of your DC event
> logs. I even made a mmc with all the dc event logs on it but it still
> seems like there should be an easy or automatic way to do this.
>
>


Have you tried LockoutStatus.exe?

http://www.microsoft.com/downloads/d...7af2e69c-91f3-
4e63-8629-b999adde0b9e&DisplayLang=en

More information about managing account lockouts:

http://www.microsoft.com/technet/pro...003/technologi
es/security/bpactlck.mspx

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."
 
Reply With Quote
 
Guest
Posts: n/a
 
      07-26-2007
you could try something like... dsquery user -name <user's name, samid,
etc>|dsget user -disabled

for example, c:\>dsquery user -name smichaels|dsget user -disabled

or even.. c:\>dsquery user -name smich*|dsget user -disabled
notice the use of a wildcard for the name. Or, if you know the dn of the
user, you could do it the long way...

c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled

but essentially the top two examples do that for you with much less typing.
don't forget the pipe ( | ) character.

Doug

"djpimpdaddy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I've been studying for my MCSE now and I am trying to mess around with
> some of the command line features more to learn them. I know that you
> can quickly get a list of accounts that are disabled via the dsquery
> command, but is there any switch or parameter to determine a list of
> domain users that have tripped their "retard checkbox", I mean locked
> themselves out of the network?
>
> We have a ton of users that seem to think that 6 character passwords
> are just too much to remember. I actually suggested to a few of them
> to write them down on post it notes. Yes, I know, that was a last
> ditch effort for some of these bright bulbs. Company of 80 and about
> 10+ password resets a day.....help...
>
> I was hoping it would be as simple as:
>
> DSQUERY users -whoops > c:\tards.txt
>
> Joking aside, is there a way to do this? I cannot locate any method in
> the book or on Microsoft.
>



 
Reply With Quote
 
catwalker63
Guest
Posts: n/a
 
      07-26-2007
<D> prattled ceaselessly in news:#(E-Mail Removed):

> you could try something like... dsquery user -name <user's name,
> samid, etc>|dsget user -disabled
>
> for example, c:\>dsquery user -name smichaels|dsget user -disabled
>
> or even.. c:\>dsquery user -name smich*|dsget user -disabled
> notice the use of a wildcard for the name. Or, if you know the dn of
> the user, you could do it the long way...
>
> c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
>
> but essentially the top two examples do that for you with much less
> typing. don't forget the pipe ( | ) character.
>
> Doug
>
> "djpimpdaddy" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> I've been studying for my MCSE now and I am trying to mess around
>> with some of the command line features more to learn them. I know
>> that you can quickly get a list of accounts that are disabled via the
>> dsquery command, but is there any switch or parameter to determine a
>> list of domain users that have tripped their "retard checkbox", I
>> mean locked themselves out of the network?
>>
>> We have a ton of users that seem to think that 6 character passwords
>> are just too much to remember. I actually suggested to a few of them
>> to write them down on post it notes. Yes, I know, that was a last
>> ditch effort for some of these bright bulbs. Company of 80 and about
>> 10+ password resets a day.....help...
>>
>> I was hoping it would be as simple as:
>>
>> DSQUERY users -whoops > c:\tards.txt
>>
>> Joking aside, is there a way to do this? I cannot locate any method
>> in the book or on Microsoft.
>>

>
>
>


Couldn't you do:

dsquery user dc=<yourdomain>|dsget user -disabled > c:\tards.txt

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."
 
Reply With Quote
 
catwalker63
Guest
Posts: n/a
 
      07-26-2007
catwalker63 <(E-Mail Removed)> prattled ceaselessly in
news:Xns9979A4F0F49C2catwalker63athotmail@216.196. 97.136:

> <D> prattled ceaselessly in news:#(E-Mail Removed):
>
>> you could try something like... dsquery user -name <user's name,
>> samid, etc>|dsget user -disabled
>>
>> for example, c:\>dsquery user -name smichaels|dsget user -disabled
>>
>> or even.. c:\>dsquery user -name smich*|dsget user -disabled
>> notice the use of a wildcard for the name. Or, if you know the dn of
>> the user, you could do it the long way...
>>
>> c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
>>
>> but essentially the top two examples do that for you with much less
>> typing. don't forget the pipe ( | ) character.
>>
>> Doug
>>
>> "djpimpdaddy" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>>> I've been studying for my MCSE now and I am trying to mess around
>>> with some of the command line features more to learn them. I know
>>> that you can quickly get a list of accounts that are disabled via the
>>> dsquery command, but is there any switch or parameter to determine a
>>> list of domain users that have tripped their "retard checkbox", I
>>> mean locked themselves out of the network?
>>>
>>> We have a ton of users that seem to think that 6 character passwords
>>> are just too much to remember. I actually suggested to a few of them
>>> to write them down on post it notes. Yes, I know, that was a last
>>> ditch effort for some of these bright bulbs. Company of 80 and about
>>> 10+ password resets a day.....help...
>>>
>>> I was hoping it would be as simple as:
>>>
>>> DSQUERY users -whoops > c:\tards.txt
>>>
>>> Joking aside, is there a way to do this? I cannot locate any method
>>> in the book or on Microsoft.
>>>

>>
>>
>>

>
> Couldn't you do:
>
> dsquery user dc=<yourdomain>|dsget user -upn -disabled > c:\tards.txt
>


IFMPFM

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."
 
Reply With Quote
 
John R
Guest
Posts: n/a
 
      07-27-2007
Guys

Although he originally said "disabled", he then clarified that what he is
looking for is "locked out" due to invalid password attempts. Yes, there is
a disabled flag for "dsquery user", but that is not going to show him
lockouts.

John R


 
Reply With Quote
 
catwalker63
Guest
Posts: n/a
 
      07-27-2007
John R piffled away vaguely:
>
> Although he originally said "disabled", he then clarified that what he is
> looking for is "locked out" due to invalid password attempts. Yes, there is
> a disabled flag for "dsquery user", but that is not going to show him
> lockouts.
>
>

Sorry. Wasn't paying enough attention. I got all into makin' the
query work, I forgot the question. :O
--

Catwalker
MCNGP #43
www.mcngp.com
"I have a gun. It's loaded. Shut up."

 
Reply With Quote
 
djpimpdaddy
Guest
Posts: n/a
 
      07-27-2007
My bad. I did mean to say locked out and not disabled. We use the two
interchangably here becuase on our AS400 you do get "*DISABLED". It
seems the few times our problem users actually make it on the network,
they disable their AS400 logon. :uts head in hands and weeps for
their souls::

I have been monitoring the security event log on both the domain
controllers and the only thing I can see is event id 644:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 7/27/2007
Time: 8:01:49 AM
User: NT AUTHORITY\SYSTEM
Computer: EMAIL
Description:
User Account Locked Out:
Target Account Name: vsmith
Target Account ID: INTERSTARNA\vsmith
Caller Machine Name: A1217714
Caller User Name: EMAIL$
Caller Domain: INTERSTARNA
Caller Logon ID: (0x0,0x3E7)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To give LISTof Wirelss Networks,which Win32 cmd in cmd prompt is u =?Utf-8?B?U2V6aW4gRXJlbiAocy5lcmVuQHRldGFzLmNvbS50cik=?= Wireless Networking 1 07-05-2007 04:42 PM
Retrieving Groups from a DSQUERY anon1m0us Ruby 6 04-25-2007 05:59 AM
[exec cmd for cmd in cmds] =?ISO-8859-1?Q?Sch=FCle_Daniel?= Python 3 03-08-2006 03:21 PM
Interpreter-like help in cmd.Cmd Sarir Khamsi Python 4 06-26-2005 06:57 PM
read input for cmd.Cmd from file Achim Domma (Procoders) Python 2 06-03-2005 08:32 AM



Advertisments