Technical Q: Is there a CMD for DSQuery user -lockedout?

Discussion in 'MCSE' started by djpimpdaddy, Jul 26, 2007.

  1. djpimpdaddy

    djpimpdaddy Guest

    I've been studying for my MCSE now and I am trying to mess around with
    some of the command line features more to learn them. I know that you
    can quickly get a list of accounts that are disabled via the dsquery
    command, but is there any switch or parameter to determine a list of
    domain users that have tripped their "retard checkbox", I mean locked
    themselves out of the network?

    We have a ton of users that seem to think that 6 character passwords
    are just too much to remember. I actually suggested to a few of them
    to write them down on post it notes. Yes, I know, that was a last
    ditch effort for some of these bright bulbs. Company of 80 and about
    10+ password resets a day.....help...

    I was hoping it would be as simple as:

    DSQUERY users -whoops > c:\tards.txt

    Joking aside, is there a way to do this? I cannot locate any method in
    the book or on Microsoft.
    djpimpdaddy, Jul 26, 2007
    #1
    1. Advertising

  2. djpimpdaddy

    John R Guest

    "djpimpdaddy" <> wrote in message
    news:...
    > I've been studying for my MCSE now and I am trying to mess around with
    > some of the command line features more to learn them. I know that you
    > can quickly get a list of accounts that are disabled via the dsquery
    > command, but is there any switch or parameter to determine a list of
    > domain users that have tripped their "retard checkbox", I mean locked
    > themselves out of the network?
    >
    > We have a ton of users that seem to think that 6 character passwords
    > are just too much to remember. I actually suggested to a few of them
    > to write them down on post it notes. Yes, I know, that was a last
    > ditch effort for some of these bright bulbs. Company of 80 and about
    > 10+ password resets a day.....help...
    >
    > I was hoping it would be as simple as:
    >
    > DSQUERY users -whoops > c:\tards.txt
    >
    > Joking aside, is there a way to do this? I cannot locate any method in
    > the book or on Microsoft.
    >


    There is no dsquery user switch for what you want. You can find those by
    going to help and support, and typing in ...
    "directory service" "command-line" dsquery
    and then clicking on the link on the left about dsquery : command-line
    reference

    I've been playing with an LDAP query
    (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
    However, that seems to bring up other stuff that isn't actually locked out.

    If I can get it to work, I'll post back, or maybe someone else here has done
    this before.

    John R
    John R, Jul 26, 2007
    #2
    1. Advertising

  3. djpimpdaddy

    djpimpdaddy Guest

    On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
    > "djpimpdaddy" <> wrote in message
    >
    > news:...
    >
    >
    >
    >
    >
    > > I've been studying for my MCSE now and I am trying to mess around with
    > > some of the command line features more to learn them. I know that you
    > > can quickly get a list of accounts that are disabled via the dsquery
    > > command, but is there any switch or parameter to determine a list of
    > > domain users that have tripped their "retard checkbox", I mean locked
    > > themselves out of the network?

    >
    > > We have a ton of users that seem to think that 6 character passwords
    > > are just too much to remember. I actually suggested to a few of them
    > > to write them down on post it notes. Yes, I know, that was a last
    > > ditch effort for some of these bright bulbs. Company of 80 and about
    > > 10+ password resets a day.....help...

    >
    > > I was hoping it would be as simple as:

    >
    > > DSQUERY users -whoops > c:\tards.txt

    >
    > > Joking aside, is there a way to do this? I cannot locate any method in
    > > the book or on Microsoft.

    >
    > There is no dsquery user switch for what you want. You can find those by
    > going to help and support, and typing in ...
    > "directory service" "command-line" dsquery
    > and then clicking on the link on the left about dsquery : command-line
    > reference
    >
    > I've been playing with an LDAP query
    > (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
    > However, that seems to bring up other stuff that isn't actually locked out.
    >
    > If I can get it to work, I'll post back, or maybe someone else here has done
    > this before.
    >
    > John R- Hide quoted text -
    >
    > - Show quoted text -


    I thought that I was on to something by enabling Account Auditing and
    searching the security log on the DC for event 644 and "failure" or
    something like that, but you have to do it on all of your DC event
    logs. I even made a mmc with all the dc event logs on it but it still
    seems like there should be an easy or automatic way to do this.
    djpimpdaddy, Jul 26, 2007
    #3
  4. djpimpdaddy

    catwalker63 Guest

    djpimpdaddy <> prattled ceaselessly in
    news::

    > On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
    >> "djpimpdaddy" <> wrote in message
    >>
    >> news:...
    >>
    >>
    >>
    >>
    >>
    >> > I've been studying for my MCSE now and I am trying to mess around
    >> > with some of the command line features more to learn them. I know
    >> > that you can quickly get a list of accounts that are disabled via
    >> > the dsquery command, but is there any switch or parameter to
    >> > determine a list of domain users that have tripped their "retard
    >> > checkbox", I mean locked themselves out of the network?

    >>
    >> > We have a ton of users that seem to think that 6 character
    >> > passwords are just too much to remember. I actually suggested to a
    >> > few of them to write them down on post it notes. Yes, I know, that
    >> > was a last ditch effort for some of these bright bulbs. Company of
    >> > 80 and about 10+ password resets a day.....help...

    >>
    >> > I was hoping it would be as simple as:

    >>
    >> > DSQUERY users -whoops > c:\tards.txt

    >>
    >> > Joking aside, is there a way to do this? I cannot locate any method
    >> > in the book or on Microsoft.

    >>
    >> There is no dsquery user switch for what you want. You can find
    >> those by going to help and support, and typing in ...
    >> "directory service" "command-line" dsquery
    >> and then clicking on the link on the left about dsquery :
    >> command-line reference
    >>
    >> I've been playing with an LDAP query
    >> (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
    >> However, that seems to bring up other stuff that isn't actually
    >> locked out.
    >>
    >> If I can get it to work, I'll post back, or maybe someone else here
    >> has done this before.
    >>
    >> John R- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > I thought that I was on to something by enabling Account Auditing and
    > searching the security log on the DC for event 644 and "failure" or
    > something like that, but you have to do it on all of your DC event
    > logs. I even made a mmc with all the dc event logs on it but it still
    > seems like there should be an easy or automatic way to do this.
    >
    >


    Have you tried LockoutStatus.exe?

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-
    4e63-8629-b999adde0b9e&DisplayLang=en

    More information about managing account lockouts:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologi
    es/security/bpactlck.mspx

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Jul 26, 2007
    #4
  5. djpimpdaddy

    Guest Guest

    you could try something like... dsquery user -name <user's name, samid,
    etc>|dsget user -disabled

    for example, c:\>dsquery user -name smichaels|dsget user -disabled

    or even.. c:\>dsquery user -name smich*|dsget user -disabled
    notice the use of a wildcard for the name. Or, if you know the dn of the
    user, you could do it the long way...

    c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled

    but essentially the top two examples do that for you with much less typing.
    don't forget the pipe ( | ) character.

    Doug

    "djpimpdaddy" <> wrote in message
    news:...
    > I've been studying for my MCSE now and I am trying to mess around with
    > some of the command line features more to learn them. I know that you
    > can quickly get a list of accounts that are disabled via the dsquery
    > command, but is there any switch or parameter to determine a list of
    > domain users that have tripped their "retard checkbox", I mean locked
    > themselves out of the network?
    >
    > We have a ton of users that seem to think that 6 character passwords
    > are just too much to remember. I actually suggested to a few of them
    > to write them down on post it notes. Yes, I know, that was a last
    > ditch effort for some of these bright bulbs. Company of 80 and about
    > 10+ password resets a day.....help...
    >
    > I was hoping it would be as simple as:
    >
    > DSQUERY users -whoops > c:\tards.txt
    >
    > Joking aside, is there a way to do this? I cannot locate any method in
    > the book or on Microsoft.
    >
    Guest, Jul 26, 2007
    #5
  6. djpimpdaddy

    catwalker63 Guest

    <D> prattled ceaselessly in news:#:

    > you could try something like... dsquery user -name <user's name,
    > samid, etc>|dsget user -disabled
    >
    > for example, c:\>dsquery user -name smichaels|dsget user -disabled
    >
    > or even.. c:\>dsquery user -name smich*|dsget user -disabled
    > notice the use of a wildcard for the name. Or, if you know the dn of
    > the user, you could do it the long way...
    >
    > c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
    >
    > but essentially the top two examples do that for you with much less
    > typing. don't forget the pipe ( | ) character.
    >
    > Doug
    >
    > "djpimpdaddy" <> wrote in message
    > news:...
    >> I've been studying for my MCSE now and I am trying to mess around
    >> with some of the command line features more to learn them. I know
    >> that you can quickly get a list of accounts that are disabled via the
    >> dsquery command, but is there any switch or parameter to determine a
    >> list of domain users that have tripped their "retard checkbox", I
    >> mean locked themselves out of the network?
    >>
    >> We have a ton of users that seem to think that 6 character passwords
    >> are just too much to remember. I actually suggested to a few of them
    >> to write them down on post it notes. Yes, I know, that was a last
    >> ditch effort for some of these bright bulbs. Company of 80 and about
    >> 10+ password resets a day.....help...
    >>
    >> I was hoping it would be as simple as:
    >>
    >> DSQUERY users -whoops > c:\tards.txt
    >>
    >> Joking aside, is there a way to do this? I cannot locate any method
    >> in the book or on Microsoft.
    >>

    >
    >
    >


    Couldn't you do:

    dsquery user dc=<yourdomain>|dsget user -disabled > c:\tards.txt

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Jul 27, 2007
    #6
  7. djpimpdaddy

    catwalker63 Guest

    catwalker63 <> prattled ceaselessly in
    news:Xns9979A4F0F49C2catwalker63athotmail@216.196.97.136:

    > <D> prattled ceaselessly in news:#:
    >
    >> you could try something like... dsquery user -name <user's name,
    >> samid, etc>|dsget user -disabled
    >>
    >> for example, c:\>dsquery user -name smichaels|dsget user -disabled
    >>
    >> or even.. c:\>dsquery user -name smich*|dsget user -disabled
    >> notice the use of a wildcard for the name. Or, if you know the dn of
    >> the user, you could do it the long way...
    >>
    >> c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled
    >>
    >> but essentially the top two examples do that for you with much less
    >> typing. don't forget the pipe ( | ) character.
    >>
    >> Doug
    >>
    >> "djpimpdaddy" <> wrote in message
    >> news:...
    >>> I've been studying for my MCSE now and I am trying to mess around
    >>> with some of the command line features more to learn them. I know
    >>> that you can quickly get a list of accounts that are disabled via the
    >>> dsquery command, but is there any switch or parameter to determine a
    >>> list of domain users that have tripped their "retard checkbox", I
    >>> mean locked themselves out of the network?
    >>>
    >>> We have a ton of users that seem to think that 6 character passwords
    >>> are just too much to remember. I actually suggested to a few of them
    >>> to write them down on post it notes. Yes, I know, that was a last
    >>> ditch effort for some of these bright bulbs. Company of 80 and about
    >>> 10+ password resets a day.....help...
    >>>
    >>> I was hoping it would be as simple as:
    >>>
    >>> DSQUERY users -whoops > c:\tards.txt
    >>>
    >>> Joking aside, is there a way to do this? I cannot locate any method
    >>> in the book or on Microsoft.
    >>>

    >>
    >>
    >>

    >
    > Couldn't you do:
    >
    > dsquery user dc=<yourdomain>|dsget user -upn -disabled > c:\tards.txt
    >


    IFMPFM

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Jul 27, 2007
    #7
  8. djpimpdaddy

    John R Guest

    Guys

    Although he originally said "disabled", he then clarified that what he is
    looking for is "locked out" due to invalid password attempts. Yes, there is
    a disabled flag for "dsquery user", but that is not going to show him
    lockouts.

    John R
    John R, Jul 27, 2007
    #8
  9. djpimpdaddy

    catwalker63 Guest

    John R piffled away vaguely:
    >
    > Although he originally said "disabled", he then clarified that what he is
    > looking for is "locked out" due to invalid password attempts. Yes, there is
    > a disabled flag for "dsquery user", but that is not going to show him
    > lockouts.
    >
    >

    Sorry. Wasn't paying enough attention. I got all into makin' the
    query work, I forgot the question. :O
    --

    Catwalker
    MCNGP #43
    www.mcngp.com
    "I have a gun. It's loaded. Shut up."
    catwalker63, Jul 27, 2007
    #9
  10. djpimpdaddy

    djpimpdaddy Guest

    My bad. I did mean to say locked out and not disabled. We use the two
    interchangably here becuase on our AS400 you do get "*DISABLED". It
    seems the few times our problem users actually make it on the network,
    they disable their AS400 logon. ::puts head in hands and weeps for
    their souls::

    I have been monitoring the security event log on both the domain
    controllers and the only thing I can see is event id 644:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Management
    Event ID: 644
    Date: 7/27/2007
    Time: 8:01:49 AM
    User: NT AUTHORITY\SYSTEM
    Computer: EMAIL
    Description:
    User Account Locked Out:
    Target Account Name: vsmith
    Target Account ID: INTERSTARNA\vsmith
    Caller Machine Name: A1217714
    Caller User Name: EMAIL$
    Caller Domain: INTERSTARNA
    Caller Logon ID: (0x0,0x3E7)


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    djpimpdaddy, Jul 27, 2007
    #10
  11. djpimpdaddy

    John R Guest

    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    >
    > I've been playing with an LDAP query
    > (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
    > However, that seems to bring up other stuff that isn't actually locked
    > out.


    From everything I've found, the following syntax "should" work, however I
    can't get the query to execute...

    (&(&(objectCategory=Person)(objectClass=User))(msdsUser-Account-Control-Computed:1.2.840.113556.1.4.803:=16))

    Any bigger brains out there that can tell me why it won't?

    John R
    John R, Jul 27, 2007
    #11
  12. djpimpdaddy

    djpimpdaddy Guest

    I think they are too busy flinging poo at each other on another
    thread... lol

    How do try to run that query? Never done LDAP yet, I think..
    djpimpdaddy, Jul 27, 2007
    #12
  13. djpimpdaddy

    John R Guest

    "djpimpdaddy" <> wrote in message
    news:...
    >I think they are too busy flinging poo at each other on another
    > thread... lol
    >
    > How do try to run that query? Never done LDAP yet, I think..
    >
    >


    Did you ever wonder what that 'Saved Queries' node is in Active Directory
    Users and Computers?

    Create a new saved query, I called mine 'Account Lockouts', change the find
    drop down to 'Custom Search', go to the advanced tab, and enter the query.
    (Note: leave off the outside parenthesis and the first ampersand)

    However, when I run it, it tells me "inappropriate matching". Yet, from
    everything I've found, the query I have is correct.

    If we get it working, it will be just what you want, and you'll be able to
    just click on the user objects listed and change the locked out flag.

    John R
    John R, Jul 27, 2007
    #13
  14. djpimpdaddy

    John R Guest

    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    > "djpimpdaddy" <> wrote in message
    > news:...
    >>I think they are too busy flinging poo at each other on another
    >> thread... lol
    >>
    >> How do try to run that query? Never done LDAP yet, I think..
    >>
    >>

    >
    > Did you ever wonder what that 'Saved Queries' node is in Active Directory
    > Users and Computers?
    >
    > Create a new saved query, I called mine 'Account Lockouts', change the
    > find drop down to 'Custom Search', go to the advanced tab, and enter the
    > query. (Note: leave off the outside parenthesis and the first ampersand)
    >
    > However, when I run it, it tells me "inappropriate matching". Yet, from
    > everything I've found, the query I have is correct.
    >
    > If we get it working, it will be just what you want, and you'll be able to
    > just click on the user objects listed and change the locked out flag.
    >
    > John R
    >


    You'll probably need to run in on the DC that holds the PDC emulator role.
    When I tripped some accounts here, they did not show up immediately on the
    local DC but showed up right away on the PDC emulator.

    John R
    John R, Jul 27, 2007
    #14
  15. djpimpdaddy

    catwalker63 Guest

    djpimpdaddy <> prattled ceaselessly in
    news::

    > I think they are too busy flinging poo at each other on another
    > thread... lol


    I'm so staying out of that. I know nothing, nothing.

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Jul 27, 2007
    #15
  16. djpimpdaddy

    John R Guest

    "catwalker63" <> wrote in message
    news:Xns997A9D6D9D52Ccatwalker63athotmail@216.196.97.136...
    > djpimpdaddy <> prattled ceaselessly in
    > news::
    >
    > I'm so staying out of that. I know nothing, nothing.
    >


    Hoooooooogaaaaaaaaan :)

    I think they won't be happy until they've finally beaten that horse into an
    undistinguishable pile of fur.

    John R
    John R, Jul 28, 2007
    #16
  17. djpimpdaddy

    John R Guest

    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    >
    > "catwalker63" <> wrote in message
    > news:Xns997A9D6D9D52Ccatwalker63athotmail@216.196.97.136...
    >> djpimpdaddy <> prattled ceaselessly in
    >> news::
    >>
    >> I'm so staying out of that. I know nothing, nothing.
    >>

    >


    Sorry dj and cat, bad editing skills

    $1 to cat

    John R
    John R, Jul 28, 2007
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Hoberg

    Suggest backup method for a non-technical user

    Paul Hoberg, Oct 13, 2003, in forum: Computer Support
    Replies:
    10
    Views:
    600
    Mike J
    Oct 15, 2003
  2. Gadget
    Replies:
    9
    Views:
    420
    mAineAc
    Oct 20, 2003
  3. Graham Cross
    Replies:
    2
    Views:
    820
    Phil McKerracher
    Jan 27, 2005
  4. =?Utf-8?B?U2V6aW4gRXJlbiAocy5lcmVuQHRldGFzLmNvbS50

    To give LISTof Wirelss Networks,which Win32 cmd in cmd prompt is u

    =?Utf-8?B?U2V6aW4gRXJlbiAocy5lcmVuQHRldGFzLmNvbS50, Jul 5, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,305
    Jack \(MVP-Networking\).
    Jul 5, 2007
  5. Giuen
    Replies:
    0
    Views:
    732
    Giuen
    Sep 12, 2008
Loading...

Share This Page