Technical Q: Is there a CMD for DSQuery user -lockedout?

Discussion in 'MCSE' started by djpimpdaddy, Jul 26, 2007.

  1. djpimpdaddy

    djpimpdaddy Guest

    I've been studying for my MCSE now and I am trying to mess around with
    some of the command line features more to learn them. I know that you
    can quickly get a list of accounts that are disabled via the dsquery
    command, but is there any switch or parameter to determine a list of
    domain users that have tripped their "retard checkbox", I mean locked
    themselves out of the network?

    We have a ton of users that seem to think that 6 character passwords
    are just too much to remember. I actually suggested to a few of them
    to write them down on post it notes. Yes, I know, that was a last
    ditch effort for some of these bright bulbs. Company of 80 and about
    10+ password resets a day.....help...

    I was hoping it would be as simple as:

    DSQUERY users -whoops > c:\tards.txt

    Joking aside, is there a way to do this? I cannot locate any method in
    the book or on Microsoft.
     
    djpimpdaddy, Jul 26, 2007
    #1
    1. Advertisements

  2. djpimpdaddy

    John R Guest

    There is no dsquery user switch for what you want. You can find those by
    going to help and support, and typing in ...
    "directory service" "command-line" dsquery
    and then clicking on the link on the left about dsquery : command-line
    reference

    I've been playing with an LDAP query
    (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
    However, that seems to bring up other stuff that isn't actually locked out.

    If I can get it to work, I'll post back, or maybe someone else here has done
    this before.

    John R
     
    John R, Jul 26, 2007
    #2
    1. Advertisements

  3. djpimpdaddy

    djpimpdaddy Guest

    I thought that I was on to something by enabling Account Auditing and
    searching the security log on the DC for event 644 and "failure" or
    something like that, but you have to do it on all of your DC event
    logs. I even made a mmc with all the dc event logs on it but it still
    seems like there should be an easy or automatic way to do this.
     
    djpimpdaddy, Jul 26, 2007
    #3
  4. djpimpdaddy

    catwalker63 Guest

    Have you tried LockoutStatus.exe?

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-
    4e63-8629-b999adde0b9e&DisplayLang=en

    More information about managing account lockouts:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologi
    es/security/bpactlck.mspx
     
    catwalker63, Jul 26, 2007
    #4
  5. djpimpdaddy

    Guest Guest

    you could try something like... dsquery user -name <user's name, samid,
    etc>|dsget user -disabled

    for example, c:\>dsquery user -name smichaels|dsget user -disabled

    or even.. c:\>dsquery user -name smich*|dsget user -disabled
    notice the use of a wildcard for the name. Or, if you know the dn of the
    user, you could do it the long way...

    c:\>dsquery user "cn=smichaels,ou=hr,dc=mydomain"|dsget user -disabled

    but essentially the top two examples do that for you with much less typing.
    don't forget the pipe ( | ) character.

    Doug
     
    Guest, Jul 26, 2007
    #5
  6. djpimpdaddy

    catwalker63 Guest

    Couldn't you do:

    dsquery user dc=<yourdomain>|dsget user -disabled > c:\tards.txt
     
    catwalker63, Jul 27, 2007
    #6
  7. djpimpdaddy

    catwalker63 Guest

    IFMPFM
     
    catwalker63, Jul 27, 2007
    #7
  8. djpimpdaddy

    John R Guest

    Guys

    Although he originally said "disabled", he then clarified that what he is
    looking for is "locked out" due to invalid password attempts. Yes, there is
    a disabled flag for "dsquery user", but that is not going to show him
    lockouts.

    John R
     
    John R, Jul 27, 2007
    #8
  9. djpimpdaddy

    catwalker63 Guest

    John R piffled away vaguely:
    Sorry. Wasn't paying enough attention. I got all into makin' the
    query work, I forgot the question. :O
    --

    Catwalker
    MCNGP #43
    www.mcngp.com
    "I have a gun. It's loaded. Shut up."
     
    catwalker63, Jul 27, 2007
    #9
  10. djpimpdaddy

    djpimpdaddy Guest

    My bad. I did mean to say locked out and not disabled. We use the two
    interchangably here becuase on our AS400 you do get "*DISABLED". It
    seems the few times our problem users actually make it on the network,
    they disable their AS400 logon. ::puts head in hands and weeps for
    their souls::

    I have been monitoring the security event log on both the domain
    controllers and the only thing I can see is event id 644:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Management
    Event ID: 644
    Date: 7/27/2007
    Time: 8:01:49 AM
    User: NT AUTHORITY\SYSTEM
    Computer: EMAIL
    Description:
    User Account Locked Out:
    Target Account Name: vsmith
    Target Account ID: INTERSTARNA\vsmith
    Caller Machine Name: A1217714
    Caller User Name: EMAIL$
    Caller Domain: INTERSTARNA
    Caller Logon ID: (0x0,0x3E7)


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
     
    djpimpdaddy, Jul 27, 2007
    #10
  11. djpimpdaddy

    John R Guest

    From everything I've found, the following syntax "should" work, however I
    can't get the query to execute...

    (&(&(objectCategory=Person)(objectClass=User))(msdsUser-Account-Control-Computed:1.2.840.113556.1.4.803:=16))

    Any bigger brains out there that can tell me why it won't?

    John R
     
    John R, Jul 27, 2007
    #11
  12. djpimpdaddy

    djpimpdaddy Guest

    I think they are too busy flinging poo at each other on another
    thread... lol

    How do try to run that query? Never done LDAP yet, I think..
     
    djpimpdaddy, Jul 27, 2007
    #12
  13. djpimpdaddy

    John R Guest

    Did you ever wonder what that 'Saved Queries' node is in Active Directory
    Users and Computers?

    Create a new saved query, I called mine 'Account Lockouts', change the find
    drop down to 'Custom Search', go to the advanced tab, and enter the query.
    (Note: leave off the outside parenthesis and the first ampersand)

    However, when I run it, it tells me "inappropriate matching". Yet, from
    everything I've found, the query I have is correct.

    If we get it working, it will be just what you want, and you'll be able to
    just click on the user objects listed and change the locked out flag.

    John R
     
    John R, Jul 27, 2007
    #13
  14. djpimpdaddy

    John R Guest

    You'll probably need to run in on the DC that holds the PDC emulator role.
    When I tripped some accounts here, they did not show up immediately on the
    local DC but showed up right away on the PDC emulator.

    John R
     
    John R, Jul 27, 2007
    #14
  15. djpimpdaddy

    catwalker63 Guest

    I'm so staying out of that. I know nothing, nothing.
     
    catwalker63, Jul 27, 2007
    #15
  16. djpimpdaddy

    John R Guest

    Hoooooooogaaaaaaaaan :)

    I think they won't be happy until they've finally beaten that horse into an
    undistinguishable pile of fur.

    John R
     
    John R, Jul 28, 2007
    #16
  17. djpimpdaddy

    John R Guest

    Sorry dj and cat, bad editing skills

    $1 to cat

    John R
     
    John R, Jul 28, 2007
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.