How to use Account Lockout and Management Tools

How to use Account Lockout and Management Tools

DOWNLOAD NOW

 

Installing ALTools.exe

After you've downloaded ALTools.exe from the Download Center, double-click on the file to extract the tools to a directory of your choosing. Then install the tools as needed on domain controllers, member servers, or workstations as described under each tool discussed below.

 

AcctInfo.dll

This DLL adds a new tab called Additional Account Info to user account properties sheets in the Active Directory Users and Computers (ADUC). Copy the file to the System32 folder of the computer on which you run ADUC (typically an administrator workstation with adminpak.msi installed) and then open a command prompt and type regsvr32 acctinfo.dll to register the DLL. Now open ADUC and view the properties of a locked-out user like Bob Smith in Figure 2 below:

Figure 2: AcctInfo.dll adds the Additional Account Info tab to the properties sheet for a user account

There's lots of information here, but in particular line four indicates the date and time when Bob's account became locked and when it will automatically unlock. Clicking the Domain PW Info button displays the password policy for the domain:

Figure 3: Result of clicking the Domain PW Info button

Clicking the Set PW On Site DC button lets you reset the password for the user and unlock the account (see Figure 3). This is useful because if you want to reset a user's password you should do it using a domain controller in the AD site where the user's computer resides, otherwise replication latency may cause a delay before the user can log on again. This is a better approach to resetting an account by right-clicking on it and selecting Reset Password.

Figure 4: Resetting a user's password on a DC in a remote site

 

ALockout.dll

This tool creates a log file that can help you diagnose the cause of account lockout problems. Extract the files from ALockout.zip (for Windows 2000) or AlockoutXP.zip (for Windows XP) and copy them the computer experiencing the lockout problems (usually a user's workstation). Copy ALockout.dll to the System32 directory and double-click on Appinit.reg to register the DLL. Then restart the machine and when the lockout problem happens again you can view the log file %WinDir%\debug\ALockout.txt to troubleshoot. Note that interpreting this log requires you understanding Netlogon logging, which is discussed in detail in the previously mentioned whitepaper. 

 

AloInfo.exe

This tool displays the password age for user accounts so you can determine which accounts are about to expire and anticipate problems before they occur. To use this tool copy it to a folder in the system path on a domain controller and run it from a command prompt. Here's an example:

C:\>aloinfo /expires /server:test220

Getting Users (This may take a while)...

Retrieved 28 users
Printing Users in descending PW age...

Administrator,28
krbtgt,28
asmith,4
bsmith,4
csmith,3
dsmith,3
esmith,3
...

You can also use this tool to display the credentials for all mapped drives for the currently logged-on user, which can help when troubleshooting account lockout problems caused by cached credentials for persistent connections:

C:\>aloinfo /stored /server:test220

Getting Service Names and the account they start with...

Checking Mapped Drives for usernames...
Drive Y: is mapped to \\test220\docs with username DEFAULT_USERNAME

 

EnableKerbLog.vbs
Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

 

EventCombMT.exe
This tool gathers event logs from several machines to one central location. You can create filters for searching specific event IDS across all servers.

 

 

LockoutStatus.exe

This tool displays various information about locked out accounts that can help you troubleshoot the cause of the lockout. Copy the file to a domain controller and double-click on it to run it, then choose File-->Select Target and specify the name of the user whose account lockout status you want to display. Right-click on a displayed entry to unlock the account, reset its password, or perform other actions (Figure 5):

Figure 5: Unlocking an account using LockoutStatus.exe