Discussion:
LDAP Query for Locked Out Accounts
(too old to reply)
Dave Schroeder
2005-10-31 23:40:05 UTC
Permalink
I have created a query to search for locked out user accounts (in AD 2003)...
the query searches and finds the locked out accounts with no problem...
BUT... it is also listing a few accounts that are not locked out... I have
gone through all of the properties and did not find anything out of the
ordinary for these 'extra' accounts.

this is the string:
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Ulf B. Simon-Weidner [MVP]
2005-11-01 10:28:02 UTC
Permalink
=?Utf-8?B?RGF2ZSBTY2hyb2VkZXI=?= says...
Post by Dave Schroeder
I have created a query to search for locked out user accounts (in AD 2003)...
the query searches and finds the locked out accounts with no problem...
BUT... it is also listing a few accounts that are not locked out... I have
gone through all of the properties and did not find anything out of the
ordinary for these 'extra' accounts.
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Hello,

look at the following website where I explained how lockoutTime calculates:
http://www.windowsserverfaq.org/faq/ADQueries/lockoutTime.asp

Basically - if you don't have automatic unlocking configured in your policies
you can just query (&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

You were using a bitwise filter with a defined time, which won't provide you
with any reliable results.
--
Gruesse - Sincerely,

Ulf B. Simon-Weidner
Joe Richards [MVP]
2005-11-01 13:28:56 UTC
Permalink
If you have an automatic unlock time this can be difficult, if you are just
looking for a quick list of accounts that are currently locked, check out

http://www.joeware.net/win/free/tools/unlock.htm

Use the /view switch to see what is currently locked. Otherwise it will unlock
accounts.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
I have created a query to search for locked out user accounts (in AD 2003)...
the query searches and finds the locked out accounts with no problem...
BUT... it is also listing a few accounts that are not locked out... I have
gone through all of the properties and did not find anything out of the
ordinary for these 'extra' accounts.
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Dave Schroeder
2005-11-01 18:51:13 UTC
Permalink
we have an automatic unlock time set... I was just hoping to create a query
for our help desk so that they can just quickly find users that call in when
they have locked themselves out...
Post by Joe Richards [MVP]
If you have an automatic unlock time this can be difficult, if you are just
looking for a quick list of accounts that are currently locked, check out
http://www.joeware.net/win/free/tools/unlock.htm
Use the /view switch to see what is currently locked. Otherwise it will unlock
accounts.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
I have created a query to search for locked out user accounts (in AD 2003)...
the query searches and finds the locked out accounts with no problem...
BUT... it is also listing a few accounts that are not locked out... I have
gone through all of the properties and did not find anything out of the
ordinary for these 'extra' accounts.
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Ulf B. Simon-Weidner [MVP]
2005-11-01 20:23:37 UTC
Permalink
=?Utf-8?B?RGF2ZSBTY2hyb2VkZXI=?= says...
Post by Dave Schroeder
we have an automatic unlock time set... I was just hoping to create a query
for our help desk so that they can just quickly find users that call in when
they have locked themselves out...
You can't do that with a query if the automatic unlock time is set - you can do
it with a tool like the one Joe mentioned, or you'd have to adjust the query
with the correct time - lockout out period time.
--
Gruesse - Sincerely,

Ulf B. Simon-Weidner
Joe Richards [MVP]
2005-11-04 04:38:00 UTC
Permalink
Yep download unlock and take a peek at it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
we have an automatic unlock time set... I was just hoping to create a query
for our help desk so that they can just quickly find users that call in when
they have locked themselves out...
Post by Joe Richards [MVP]
If you have an automatic unlock time this can be difficult, if you are just
looking for a quick list of accounts that are currently locked, check out
http://www.joeware.net/win/free/tools/unlock.htm
Use the /view switch to see what is currently locked. Otherwise it will unlock
accounts.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
I have created a query to search for locked out user accounts (in AD 2003)...
the query searches and finds the locked out accounts with no problem...
BUT... it is also listing a few accounts that are not locked out... I have
gone through all of the properties and did not find anything out of the
ordinary for these 'extra' accounts.
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Chriss3 [MVP]
2005-11-06 18:03:39 UTC
Permalink
FYI:
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
Post by Joe Richards [MVP]
Yep download unlock and take a peek at it.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
we have an automatic unlock time set... I was just hoping to create a
query for our help desk so that they can just quickly find users that
call in when they have locked themselves out...
Post by Joe Richards [MVP]
If you have an automatic unlock time this can be difficult, if you are
just looking for a quick list of accounts that are currently locked,
check out
http://www.joeware.net/win/free/tools/unlock.htm
Use the /view switch to see what is currently locked. Otherwise it will
unlock accounts.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
I have created a query to search for locked out user accounts (in AD
2003)... the query searches and finds the locked out accounts with no
problem... BUT... it is also listing a few accounts that are not locked
out... I have gone through all of the properties and did not find
anything out of the ordinary for these 'extra' accounts.
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Joe Richards [MVP]
2005-11-06 20:45:49 UTC
Permalink
Why in the world would you do a bitwise OR against lockoutTime? It isn't a
bitflag, it is an absolute value representing the time the account was locked.

Also the filter, FWIW, is more simply expressed

(&(objectcategory=person)(objectclass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))


But again, it doesn't do anything for you.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Dave Schroeder
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Loading...