Technical Q: Is there a CMD for DSQuery user -lockedout?

I've been studying for my MCSE now and I am trying to mess around with
some of the command line features more to learn them. I know that you
can quickly get a list of accounts that are disabled via the dsquery
command, but is there any switch or parameter to determine a list of
domain users that have tripped their "retard checkbox", I mean locked
themselves out of the network?

We have a ton of users that seem to think that 6 character passwords
are just too much to remember. I actually suggested to a few of them
to write them down on post it notes. Yes, I know, that was a last
ditch effort for some of these bright bulbs. Company of 80 and about
10+ password resets a day.....help...

I was hoping it would be as simple as:

DSQUERY users -whoops > c:\tards.txt

Joking aside, is there a way to do this? I cannot locate any method in
the book or on Microsoft.

djpimpdaddy

"djpimpdaddy" <> wrote in message
news: oups.com...
> I've been studying for my MCSE now and I am trying to mess around with
> some of the command line features more to learn them. I know that you
> can quickly get a list of accounts that are disabled via the dsquery
> command, but is there any switch or parameter to determine a list of
> domain users that have tripped their "retard checkbox", I mean locked
> themselves out of the network?
>
> We have a ton of users that seem to think that 6 character passwords
> are just too much to remember. I actually suggested to a few of them
> to write them down on post it notes. Yes, I know, that was a last
> ditch effort for some of these bright bulbs. Company of 80 and about
> 10+ password resets a day.....help...
>
> I was hoping it would be as simple as:
>
> DSQUERY users -whoops > c:\tards.txt
>
> Joking aside, is there a way to do this? I cannot locate any method in
> the book or on Microsoft.
>

There is no dsquery user switch for what you want. You can find those by
going to help and support, and typing in ...
"directory service" "command-line" dsquery
and then clicking on the link on the left about dsquery : command-line
reference

I've been playing with an LDAP query
(&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
However, that seems to bring up other stuff that isn't actually locked out.

If I can get it to work, I'll post back, or maybe someone else here has done
this before.

John R

John R

On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
> "djpimpdaddy" <djpimpda...@gmail.com> wrote in message
>
> news: oups.com...
>
>
>
>
>
> > I've been studying for my MCSE now and I am trying to mess around with
> > some of the command line features more to learn them. I know that you
> > can quickly get a list of accounts that are disabled via the dsquery
> > command, but is there any switch or parameter to determine a list of
> > domain users that have tripped their "retard checkbox", I mean locked
> > themselves out of the network?
>
> > We have a ton of users that seem to think that 6 character passwords
> > are just too much to remember. I actually suggested to a few of them
> > to write them down on post it notes. Yes, I know, that was a last
> > ditch effort for some of these bright bulbs. Company of 80 and about
> > 10+ password resets a day.....help...
>
> > I was hoping it would be as simple as:
>
> > DSQUERY users -whoops > c:\tards.txt
>
> > Joking aside, is there a way to do this? I cannot locate any method in
> > the book or on Microsoft.
>
> There is no dsquery user switch for what you want. You can find those by
> going to help and support, and typing in ...
> "directory service" "command-line" dsquery
> and then clicking on the link on the left about dsquery : command-line
> reference
>
> I've been playing with an LDAP query
> (&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
> However, that seems to bring up other stuff that isn't actually locked out.
>
> If I can get it to work, I'll post back, or maybe someone else here has done
> this before.
>
> John R- Hide quoted text -
>
> - Show quoted text -

I thought that I was on to something by enabling Account Auditing and
searching the security log on the DC for event 644 and "failure" or
something like that, but you have to do it on all of your DC event
logs. I even made a mmc with all the dc event logs on it but it still
seems like there should be an easy or automatic way to do this.

djpimpdaddy

djpimpdaddy <> prattled ceaselessly in
news: oups.com:

> On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
>> "djpimpdaddy" <djpimpda...@gmail.com> wrote in message
>>
>> news: oups.com...
>>
>>
>>
>>
>>
>> > I've been studying for my MCSE now and I am trying to mess around
>> > with some of the command line features more to learn them. I know
>> > that you can quickly get a list of accounts that are disabled via
>> > the dsquery command, but is there any switch or parameter to
>> > determine a list of domain users that have tripped their "retard
>> > checkbox", I mean locked themselves out of the network?
>>
>> > We have a ton of users that seem to think that 6 character
>> > passwords are just too much to remember. I actually suggested to a
>> > few of them to write them down on post it notes. Yes, I know, that
>> > was a last ditch effort for some of these bright bulbs. Company of
>> > 80 and about 10+ password resets a day.....help...
>>
>> > I was hoping it would be as simple as:
>>
>> > DSQUERY users -whoops > c:\tards.txt
>>
>> > Joking aside, is there a way to do this? I cannot locate any method
>> > in the book or on Microsoft.
>>
>> There is no dsquery user switch for what you want. You can find
>> those by going to help and support, and typing in ...
>> "directory service" "command-line" dsquery
>> and then clicking on the link on the left about dsquery :
>> command-line reference
>>
>> I've been playing with an LDAP query
>> (&(objectCategory=Person)(objectClass=User)(lockou tTime>=1))
>> However, that seems to bring up other stuff that isn't actually
>> locked out.
>>
>> If I can get it to work, I'll post back, or maybe someone else here
>> has done this before.
>>
>> John R- Hide quoted text -
>>
>> - Show quoted text -
>
> I thought that I was on to something by enabling Account Auditing and
> searching the security log on the DC for event 644 and "failure" or
> something like that, but you have to do it on all of your DC event
> logs. I even made a mmc with all the dc event logs on it but it still
> seems like there should be an easy or automatic way to do this.
>
>

Have you tried LockoutStatus.exe?

http://www.microsoft.com/downloads/d...7af2e69c-91f3-
4e63-8629-b999adde0b9e&DisplayLang=en

More information about managing account lockouts:

http://www.microsoft.com/technet/pro...003/technologi
es/security/bpactlck.mspx

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."

catwalker63

you could try something like... dsquery user -name <user's name, samid,
etc>|dsget user -disabled

for example, c:\>dsquery user -name smichaels|dsget user -disabled

or even.. c:\>dsquery user -name smich*|dsget user -disabled
notice the use of a wildcard for the name. Or, if you know the dn of the
user, you could do it the long way...

c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled

but essentially the top two examples do that for you with much less typing.
don't forget the pipe ( | ) character.

Doug

"djpimpdaddy" <> wrote in message
news: oups.com...
> I've been studying for my MCSE now and I am trying to mess around with
> some of the command line features more to learn them. I know that you
> can quickly get a list of accounts that are disabled via the dsquery
> command, but is there any switch or parameter to determine a list of
> domain users that have tripped their "retard checkbox", I mean locked
> themselves out of the network?
>
> We have a ton of users that seem to think that 6 character passwords
> are just too much to remember. I actually suggested to a few of them
> to write them down on post it notes. Yes, I know, that was a last
> ditch effort for some of these bright bulbs. Company of 80 and about
> 10+ password resets a day.....help...
>
> I was hoping it would be as simple as:
>
> DSQUERY users -whoops > c:\tards.txt
>
> Joking aside, is there a way to do this? I cannot locate any method in
> the book or on Microsoft.
>

<D> prattled ceaselessly in news:#:

> you could try something like... dsquery user -name <user's name,
> samid, etc>|dsget user -disabled
>
> for example, c:\>dsquery user -name smichaels|dsget user -disabled
>
> or even.. c:\>dsquery user -name smich*|dsget user -disabled
> notice the use of a wildcard for the name. Or, if you know the dn of
> the user, you could do it the long way...
>
> c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
>
> but essentially the top two examples do that for you with much less
> typing. don't forget the pipe ( | ) character.
>
> Doug
>
> "djpimpdaddy" <> wrote in message
> news: oups.com...
>> I've been studying for my MCSE now and I am trying to mess around
>> with some of the command line features more to learn them. I know
>> that you can quickly get a list of accounts that are disabled via the
>> dsquery command, but is there any switch or parameter to determine a
>> list of domain users that have tripped their "retard checkbox", I
>> mean locked themselves out of the network?
>>
>> We have a ton of users that seem to think that 6 character passwords
>> are just too much to remember. I actually suggested to a few of them
>> to write them down on post it notes. Yes, I know, that was a last
>> ditch effort for some of these bright bulbs. Company of 80 and about
>> 10+ password resets a day.....help...
>>
>> I was hoping it would be as simple as:
>>
>> DSQUERY users -whoops > c:\tards.txt
>>
>> Joking aside, is there a way to do this? I cannot locate any method
>> in the book or on Microsoft.
>>
>
>
>

Couldn't you do:

dsquery user dc=<yourdomain>|dsget user -disabled > c:\tards.txt

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."

catwalker63

catwalker63 <_catwalker63_@hotmamamail.com> prattled ceaselessly in
news:Xns9979A4F0F49C2catwalker63athotmail@216.196. 97.136:

> <D> prattled ceaselessly in news:#:
>
>> you could try something like... dsquery user -name <user's name,
>> samid, etc>|dsget user -disabled
>>
>> for example, c:\>dsquery user -name smichaels|dsget user -disabled
>>
>> or even.. c:\>dsquery user -name smich*|dsget user -disabled
>> notice the use of a wildcard for the name. Or, if you know the dn of
>> the user, you could do it the long way...
>>
>> c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
>>
>> but essentially the top two examples do that for you with much less
>> typing. don't forget the pipe ( | ) character.
>>
>> Doug
>>
>> "djpimpdaddy" <> wrote in message
>> news: oups.com...
>>> I've been studying for my MCSE now and I am trying to mess around
>>> with some of the command line features more to learn them. I know
>>> that you can quickly get a list of accounts that are disabled via the
>>> dsquery command, but is there any switch or parameter to determine a
>>> list of domain users that have tripped their "retard checkbox", I
>>> mean locked themselves out of the network?
>>>
>>> We have a ton of users that seem to think that 6 character passwords
>>> are just too much to remember. I actually suggested to a few of them
>>> to write them down on post it notes. Yes, I know, that was a last
>>> ditch effort for some of these bright bulbs. Company of 80 and about
>>> 10+ password resets a day.....help...
>>>
>>> I was hoping it would be as simple as:
>>>
>>> DSQUERY users -whoops > c:\tards.txt
>>>
>>> Joking aside, is there a way to do this? I cannot locate any method
>>> in the book or on Microsoft.
>>>
>>
>>
>>
>
> Couldn't you do:
>
> dsquery user dc=<yourdomain>|dsget user -upn -disabled > c:\tards.txt
>

IFMPFM

--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."

catwalker63

Guys

Although he originally said "disabled", he then clarified that what he is
looking for is "locked out" due to invalid password attempts. Yes, there is
a disabled flag for "dsquery user", but that is not going to show him
lockouts.

John R

John R

John R piffled away vaguely:
>
> Although he originally said "disabled", he then clarified that what he is
> looking for is "locked out" due to invalid password attempts. Yes, there is
> a disabled flag for "dsquery user", but that is not going to show him
> lockouts.
>
>
Sorry. Wasn't paying enough attention. I got all into makin' the
query work, I forgot the question. :O
--

Catwalker
MCNGP #43
www.mcngp.com
"I have a gun. It's loaded. Shut up."

catwalker63

My bad. I did mean to say locked out and not disabled. We use the two
interchangably here becuase on our AS400 you do get "*DISABLED". It
seems the few times our problem users actually make it on the network,
they disable their AS400 logon. :uts head in hands and weeps for
their souls::

I have been monitoring the security event log on both the domain
controllers and the only thing I can see is event id 644:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 7/27/2007
Time: 8:01:49 AM
User: NT AUTHORITY\SYSTEM
Computer: EMAIL
Description:
User Account Locked Out:
Target Account Name: vsmith
Target Account ID: INTERSTARNA\vsmith
Caller Machine Name: A1217714
Caller User Name: EMAIL$
Caller Domain: INTERSTARNA
Caller Logon ID: (0x0,0x3E7)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

djpimpdaddy