User password expiration / lockouts in Microsoft Active Directory

User password expiration / lockouts in Microsoft Active Directory

How can I show accounts that are locked out in AD ?
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx


Can I dump password expiration for users in AD ?
AdFind.exe to dump the password expiration. Stoneware download / Utilities has this script and a link to the adfind.exe tools. 


Documentation on Fine-Grained Password Policys
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx


How can I tell what the password expire time is for an AD user ?
Microsoft has a tool called acctinfo.dll that gives another tab on the Active Directory users and Computers tool. When you bring up a user you will have a new tab called additional account info.

You can download this tool from http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en1


Error codes

Here is the list:
0x00000001 ADS_UF_SCRIPT The logon script is executed.
0x00000002 ADS_UF_ACCOUNTDISABLE The user account is disabled.
0x00000008 ADS_UF_HOMEDIR_REQUIRED The home directory is required.
0x00000010 ADS_UF_LOCKOUT The account is currently locked out.
0x00000020 ADS_UF_PASSWD_NOTREQD No password is required.
0x00000040 ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password.
Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

:
0x00000080 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED The user can send an encrypted password.
0x00000100 ADS_UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200 ADS_UF_NORMAL_ACCOUNT This is a default account type that represents a typical user.
0x00000800 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a system domain that trusts other domains.
0x00001000 ADS_UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a computer that is a member of this domain.
0x00002000 ADS_UF_SERVER_TRUST_ACCOUNT This is a computer account for a system backup domain controller that is a member of this domain.
0x00004000 N/A Not used.
0x00008000 N/A Not used.
0x00010000 ADS_UF_DONT_EXPIRE_PASSWD The password for this account will never expire.
0x00020000 ADS_UF_MNS_LOGON_ACCOUNT This is an MNS logon account.
0x00040000 ADS_UF_SMARTCARD_REQUIRED The user must log on using a smart card.
0x00080000 ADS_UF_TRUSTED_FOR_DELEGATION The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000 ADS_UF_NOT_DELEGATED The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000 ADS_UF_USE_DES_KEY_ONLY Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000 ADS_UF_DONT_REQUIRE_PREAUTH This account does not require Kerberos pre-authentication for logon.
0x00800000 ADS_UF_PASSWORD_EXPIRED The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000 ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.


Copy acctinfo.dll to windowssystem32 and then type:
regsvr32 %systemroot%system32acctinfo.dll

Install the acctinfo.dll per the instructions and then view the properties of a user. You will then see:
Password last set
Password Expires
User Account Control information
Locked
Last Login timestamp
SID
GUID
Last Logon
Last Logoff
Last Bad Logon
Logon Count
Bad Password Count

It will also show the password policy assigned for this user.
Max Password Age
Min Password Age
Lockout Duration
Reset Bad PW Count
Max Bad Password Count
Previous PWs Kept
Min PW Length

The Decode of the User Account Control will decode the special control number like 66048 = UF_DONT_EXPIRE_PASSWORD UF_NORMAL_ACCOUNT

Microsoft has a link that explains what these mean: http://msdn.microsoft.com/en-us/library/ms680832.aspx

To remove the plugin type : regsvr32 /u %systemroot%system32acctinfo.dll
 

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...

      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • Related Articles

      • Microsoft command line tools for Active Directory

        How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...

      • User unable to change password with MS Active Directory

        Microsoft requires that you configure the portal to talk to the MS LDAP server using SSL. If you are not configured for SSL for LDAP then webnetwork will work, but anything that deals with password changing will not function.

      • User not able to change password in Unified Workspace

        How to enable Change Password debug, when having trouble with users not being able to change, or reset, their password in Unified Workspace. The Change Password debug needs to be enabled on the server that connects to your directory.  You may know ...

      • SAML SP - Sync Directory Password

        Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable. If you would like to use the Active Directory password for other ...

      • How do I backup Microsoft Active Directory ?

        While backing up AD is not a function of Stoneware, here are some urls that have some good information. Simple script to start a backup: ntbackup backup systemstate /J "AD Backup" /F "C:\\ADbackup.bkf" Best Practices for Active Directory Schema ...