Lenovo Software Help Center

User password expiration / lockouts in Microsoft Active Directory

How can I show accounts that are locked out in AD ?
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx


Can I dump password expiration for users in AD ?
AdFind.exe to dump the password expiration. Stoneware download / Utilities has this script and a link to the adfind.exe tools. 


Documentation on Fine-Grained Password Policys
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx


How can I tell what the password expire time is for an AD user ?
Microsoft has a tool called acctinfo.dll that gives another tab on the Active Directory users and Computers tool. When you bring up a user you will have a new tab called additional account info.

You can download this tool from http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en1


Error codes

Here is the list:
0x00000001 ADS_UF_SCRIPT The logon script is executed.
0x00000002 ADS_UF_ACCOUNTDISABLE The user account is disabled.
0x00000008 ADS_UF_HOMEDIR_REQUIRED The home directory is required.
0x00000010 ADS_UF_LOCKOUT The account is currently locked out.
0x00000020 ADS_UF_PASSWD_NOTREQD No password is required.
0x00000040 ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password.
Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

:
0x00000080 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED The user can send an encrypted password.
0x00000100 ADS_UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200 ADS_UF_NORMAL_ACCOUNT This is a default account type that represents a typical user.
0x00000800 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a system domain that trusts other domains.
0x00001000 ADS_UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a computer that is a member of this domain.
0x00002000 ADS_UF_SERVER_TRUST_ACCOUNT This is a computer account for a system backup domain controller that is a member of this domain.
0x00004000 N/A Not used.
0x00008000 N/A Not used.
0x00010000 ADS_UF_DONT_EXPIRE_PASSWD The password for this account will never expire.
0x00020000 ADS_UF_MNS_LOGON_ACCOUNT This is an MNS logon account.
0x00040000 ADS_UF_SMARTCARD_REQUIRED The user must log on using a smart card.
0x00080000 ADS_UF_TRUSTED_FOR_DELEGATION The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000 ADS_UF_NOT_DELEGATED The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000 ADS_UF_USE_DES_KEY_ONLY Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000 ADS_UF_DONT_REQUIRE_PREAUTH This account does not require Kerberos pre-authentication for logon.
0x00800000 ADS_UF_PASSWORD_EXPIRED The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000 ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.


Copy acctinfo.dll to windowssystem32 and then type:
regsvr32 %systemroot%system32acctinfo.dll

Install the acctinfo.dll per the instructions and then view the properties of a user. You will then see:
Password last set
Password Expires
User Account Control information
Locked
Last Login timestamp
SID
GUID
Last Logon
Last Logoff
Last Bad Logon
Logon Count
Bad Password Count

It will also show the password policy assigned for this user.
Max Password Age
Min Password Age
Lockout Duration
Reset Bad PW Count
Max Bad Password Count
Previous PWs Kept
Min PW Length

The Decode of the User Account Control will decode the special control number like 66048 = UF_DONT_EXPIRE_PASSWORD UF_NORMAL_ACCOUNT

Microsoft has a link that explains what these mean: http://msdn.microsoft.com/en-us/library/ms680832.aspx

To remove the plugin type : regsvr32 /u %systemroot%system32acctinfo.dll
 

    • Related Articles

    • Microsoft command line tools for Active Directory

      How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
    • User unable to change password with MS Active Directory

      Microsoft requires that you configure the portal to talk to the MS LDAP server using SSL. If you are not configured for SSL for LDAP then webnetwork will work, but anything that deals with password changing will not function.
    • User not able to change password in Unified Workspace

      How to enable Change Password debug, when having trouble with users not being able to change, or reset, their password in Unified Workspace. The Change Password debug needs to be enabled on the server that connects to your directory.  You may know ...
    • How do I backup Microsoft Active Directory ?

      While backing up AD is not a function of Stoneware, here are some urls that have some good information. Simple script to start a backup: ntbackup backup systemstate /J "AD Backup" /F "C:\\ADbackup.bkf" Best Practices for Active Directory Schema ...
    • Active Directory

      Active Directory Sync Tool With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features. DNSFilter can be deployed easily and quickly in your Active Directory environment. ...
    • Popular Articles

    • Can a Teacher see Students outside of school?

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in LanSchool Classic General FAQ.
    • LanSchool Latest Release Notes

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in LanSchool Classic Latest Release Notes.
    • How to uninstall LanSchool Student and WebHelper from Chromebook

      This content has moved! Visit the new LanSchool Classic Help Desk It looks like you may be interested in Mass Deploying LanSchool Student for Chromebook.
    • LanSchool 8.0.2.82 Release Notes

      LanSchool™ Release Notes Updated: December 16, 2019 Component Versions LanSchool 8.0.2.82, December 16, 2019 Chromebook App 8.0.2.13, December 16, 2019 Chrome Web Helper: 8.0.2.5, December 16, 2019iOS TA and Student 8.2.0, December 16, 2019 Android ...
    • Controlling multiple students at once

      Problem: Can I remote control multiple computers at once? Cause: N/A Prerequisite(s): LanSchool Teacher and Student Solution(s): If all of the computers in the lab are the same basic image or configuration (for example. all Windows XP machines with ...
    • Recent Articles

    • Log4J 1.x Vulnerability CVE-2021-4104

      Issue A vulnerability was discovered in Apache Log4j1.x. Does this vulnerability affect Unified Workspace? If so, how do we go about mitigation of the vulnerability? CVE-2021-4104 Solution Unified Workspace does use Log4J 1.2.16. This vulnerability ...
    • Log4J Vulnerability CVE-2021-44228

      Issue A vulnerability was discovered in Apache Log4j2. Does this vulnerability affect Unified Workspace? If so, how do we go about mitigation of the vulnerability? CVE-2021-44228 Solution Unified Workspace does use Log4J 1.2.16. We have confirmed ...
    • Management Console non-directory credentials

      Question How can I access Unified Workspace if my directory credentials are not working? For example: We are having directory issues and need to configure Unified Workspace to connect to a different Directory Controller. Solution The Management ...
    • Lenovo Software Newsletter

      Question Is there a way I can be notified about product updates? Solution To receive updates from Lenovo Software about product updates, we encourage customers to subscribe to our Lenovo Software Newsletter.
    • Allow Help Desk to reset Image Challenge images

      Issue Customer would like to allow Help Desk users to only be able to reset user Image Challenge images when they have been forgotten by a user. Solution This can be done by assigning specific users in the system the User Group Admin role, as well as ...