Pages

Wednesday, February 23, 2011

LDAP Query - Account is locked out

see:
HOWTO: Enumerate locked out user accounts using Saved Queries

Follow these step-by-step instructions to list all currently locked out accounts in a Windows Server 2003 domain:

1. Log in to a Domain Controller with administrative privileges in the domain and open Active Directory Users & Computers.
2. Right click Saved Queries and select New > Query.
3. Give the query a name and optionally a description. Click on Define Query.
4. Select Custom Search from the drop-down dialogue box.
5. Click on Advanced and enter this LDAP filter in the query box:

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

6. Click on OK twice and the new query appears under the Saved Queries folder in Active Directory Users & Computers.

Unfortunately, this is the query selects not only 'Account is locked out'.

see yet:
Implementing and Troubleshooting Account Lockout
Account Lockout and Management Tools

No comments:

Post a Comment