User password expiration / lockouts in Microsoft Active Directory

User password expiration / lockouts in Microsoft Active Directory

How can I show accounts that are locked out in AD ?
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx


Can I dump password expiration for users in AD ?
AdFind.exe to dump the password expiration. Stoneware download / Utilities has this script and a link to the adfind.exe tools. 


Documentation on Fine-Grained Password Policys
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx


How can I tell what the password expire time is for an AD user ?
Microsoft has a tool called acctinfo.dll that gives another tab on the Active Directory users and Computers tool. When you bring up a user you will have a new tab called additional account info.

You can download this tool from http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en1


Error codes

Here is the list:
0x00000001 ADS_UF_SCRIPT The logon script is executed.
0x00000002 ADS_UF_ACCOUNTDISABLE The user account is disabled.
0x00000008 ADS_UF_HOMEDIR_REQUIRED The home directory is required.
0x00000010 ADS_UF_LOCKOUT The account is currently locked out.
0x00000020 ADS_UF_PASSWD_NOTREQD No password is required.
0x00000040 ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password.
Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

:
0x00000080 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED The user can send an encrypted password.
0x00000100 ADS_UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200 ADS_UF_NORMAL_ACCOUNT This is a default account type that represents a typical user.
0x00000800 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a system domain that trusts other domains.
0x00001000 ADS_UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a computer that is a member of this domain.
0x00002000 ADS_UF_SERVER_TRUST_ACCOUNT This is a computer account for a system backup domain controller that is a member of this domain.
0x00004000 N/A Not used.
0x00008000 N/A Not used.
0x00010000 ADS_UF_DONT_EXPIRE_PASSWD The password for this account will never expire.
0x00020000 ADS_UF_MNS_LOGON_ACCOUNT This is an MNS logon account.
0x00040000 ADS_UF_SMARTCARD_REQUIRED The user must log on using a smart card.
0x00080000 ADS_UF_TRUSTED_FOR_DELEGATION The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000 ADS_UF_NOT_DELEGATED The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000 ADS_UF_USE_DES_KEY_ONLY Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000 ADS_UF_DONT_REQUIRE_PREAUTH This account does not require Kerberos pre-authentication for logon.
0x00800000 ADS_UF_PASSWORD_EXPIRED The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000 ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.


Copy acctinfo.dll to windowssystem32 and then type:
regsvr32 %systemroot%system32acctinfo.dll

Install the acctinfo.dll per the instructions and then view the properties of a user. You will then see:
Password last set
Password Expires
User Account Control information
Locked
Last Login timestamp
SID
GUID
Last Logon
Last Logoff
Last Bad Logon
Logon Count
Bad Password Count

It will also show the password policy assigned for this user.
Max Password Age
Min Password Age
Lockout Duration
Reset Bad PW Count
Max Bad Password Count
Previous PWs Kept
Min PW Length

The Decode of the User Account Control will decode the special control number like 66048 = UF_DONT_EXPIRE_PASSWORD UF_NORMAL_ACCOUNT

Microsoft has a link that explains what these mean: http://msdn.microsoft.com/en-us/library/ms680832.aspx

To remove the plugin type : regsvr32 /u %systemroot%system32acctinfo.dll
 

    • Related Articles

    • Microsoft command line tools for Active Directory

      How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
    • User unable to change password with MS Active Directory

      Microsoft requires that you configure the portal to talk to the MS LDAP server using SSL. If you are not configured for SSL for LDAP then webnetwork will work, but anything that deals with password changing will not function.
    • User not able to change password in Unified Workspace

      How to enable Change Password debug, when having trouble with users not being able to change, or reset, their password in Unified Workspace. The Change Password debug needs to be enabled on the server that connects to your directory.  You may know ...
    • How do I backup Microsoft Active Directory ?

      While backing up AD is not a function of Stoneware, here are some urls that have some good information. Simple script to start a backup: ntbackup backup systemstate /J "AD Backup" /F "C:\\ADbackup.bkf" Best Practices for Active Directory Schema ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • Popular Articles

    • Old Browser Versions

      Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time.   This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
    • LCS Redirection

      Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
    • Time windows allows for Service Shutdown

      Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : http://support.microsoft.com/kb/146092 To specify the wait time, do the ...
    • How to disable password saving - Internet Explorer

      Having multiple methods for saving a password in the browser can cause confusion for the user.   To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
    • How to disable password saving - Chrome

      Having multiple methods for saving a password in the browser can cause confusion for the user.  To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
    • Recent Articles

    • Lenovo Unified Workspace 7.0.0.63 Released

      Highlights of Unified Workspace 7.0.0.63 If you need assistance with your update, please e-mail support at support@lenovosoftware.com or visit https://unifiedworkspace.com/support/ for more information. Below is a list of enhancements and fixes for ...
    • How to fix customized login and profile after upgrading to v7.0

      With the release of 7.0 the default login page has been modified to simplify the customization process.  If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • MySQL 8 SSL

      Issue Admin is making a database connection to a MySQL 8 database.  When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...
    • 7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

      excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 7.0.0.63, and higher. (For older 6.5 releases of UW, please see this article.) ...