How to use Account Lockout and Management Tools
Installing ALTools.exe
After you've downloaded ALTools.exe from the Download Center, double-click on the file to extract the tools to a directory of your choosing. Then install the tools as needed on domain controllers, member servers, or workstations as described under each tool discussed below.
AcctInfo.dll
This DLL adds a new tab called Additional Account Info to user account properties sheets in the Active Directory Users and Computers (ADUC). Copy the file to the System32 folder of the computer on which you run ADUC (typically an administrator workstation with adminpak.msi installed) and then open a command prompt and type regsvr32 acctinfo.dll to register the DLL. Now open ADUC and view the properties of a locked-out user like Bob Smith in Figure 2 below:
Figure 2: AcctInfo.dll adds the Additional Account Info tab to the properties sheet for a user account
There's lots of information here, but in particular line four indicates the date and time when Bob's account became locked and when it will automatically unlock. Clicking the Domain PW Info button displays the password policy for the domain:
Figure 3: Result of clicking the Domain PW Info button
Clicking the Set PW On Site DC button lets you reset the password for the user and unlock the account (see Figure 3). This is useful because if you want to reset a user's password you should do it using a domain controller in the AD site where the user's computer resides, otherwise replication latency may cause a delay before the user can log on again. This is a better approach to resetting an account by right-clicking on it and selecting Reset Password.
Figure 4: Resetting a user's password on a DC in a remote site
ALockout.dll
This tool creates a log file that can help you diagnose the cause of account lockout problems. Extract the files from ALockout.zip (for Windows 2000) or AlockoutXP.zip (for Windows XP) and copy them the computer experiencing the lockout problems (usually a user's workstation). Copy ALockout.dll to the System32 directory and double-click on Appinit.reg to register the DLL. Then restart the machine and when the lockout problem happens again you can view the log file %WinDir%\debug\ALockout.txt to troubleshoot. Note that interpreting this log requires you understanding Netlogon logging, which is discussed in detail in the previously mentioned whitepaper.
AloInfo.exe
This tool displays the password age for user accounts so you can determine which accounts are about to expire and anticipate problems before they occur. To use this tool copy it to a folder in the system path on a domain controller and run it from a command prompt. Here's an example:
C:\>aloinfo /expires /server:test220
Getting Users (This may take a while)...
Retrieved 28 users
Printing Users in descending PW age...
Administrator,28
krbtgt,28
asmith,4
bsmith,4
csmith,3
dsmith,3
esmith,3
...
You can also use this tool to display the credentials for all mapped drives for the currently logged-on user, which can help when troubleshooting account lockout problems caused by cached credentials for persistent connections:
C:\>aloinfo /stored /server:test220
Getting Service Names and the account they start with...
Checking Mapped Drives for usernames...
Drive Y: is mapped to \\test220\docs with username DEFAULT_USERNAME
EnableKerbLog.vbs
Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.
EventCombMT.exe
This tool gathers event logs from several machines to one central location. You can create filters for searching specific event IDS across all servers.
LockoutStatus.exe
This tool displays various information about locked out accounts that can help you troubleshoot the cause of the lockout. Copy the file to a domain controller and double-click on it to run it, then choose File-->Select Target and specify the name of the user whose account lockout status you want to display. Right-click on a displayed entry to unlock the account, reset its password, or perform other actions (Figure 5):
Figure 5: Unlocking an account using LockoutStatus.exe
1 comment:
Hi Guys,
Nice post. Thought I'd let you know that the only problem is that your screenshots seem to be missing. Perhaps you could add them so visitors to your blog could see them?
By the way, I too run a blog on Free Active Directory Reporting Tools and I thought I'd share it with you - feel free to stop by.
I have not covered all the tools you mention yet, but plan on doing so whenever I can get to it.
Thanks anyway, and good luck!
Peace,
Marc
Post a Comment