2006/08/24

Account Lockout and Management Tools (Additional Account Info)

This one is quite old and I used to have it already installed on my servers, but now we are moving them to new hardware and I needed to google it to find it again. Account Lockout and Management Tools If you did not know it already, this is a suite of (free) tools, released by Microsoft, that can help you troubleshoot password and account information for your Active Directory users. One of the gems of this suit is AcctInfo.dll that installs an extra tab in Active Directory Users and Computers snap-in. This new tab (called Additional Account Info) shows you:
  • Password last set (date & time)
  • Password expires (date & time)
  • Locked (Yes / No)
  • Last-Logon-Timestamp (date & time)
  • SID
  • GUID
  • Last Logon (date & time)
  • Last Logoff (date & time)
  • Last Bad Logon (date & time)
  • Logon Count (integer)
  • Bad Password Count (integer)
Extracted from Microsoft documentation:
ALTools.exe includes:
  • AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user's password on a domain controller in that user's site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).
  • ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.Caution: Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.
  • ALoInfo.exe. Displays all user account names and the age of their passwords.
  • EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.
  • LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.
  • NLParse.exe. Used to extract and display desired entries from the Netlogon log files.
In order to install 'Additional Account Info':
  • Copy acctinfo.dll to the %systemroot%\system32 folder
  • Register the service and dll running regsvr32 acctinfo.dll
  • Close, then open Active Directory Users and Computers.
NOTE 1: If you are using Windows 2003, you should use acctinfo.dll provided with Windows 2003 Resource Kit Tools instead. NOTE 2: If you are using x64 versions of Windows, please note that Windows 2003 Resource Kit Tools are not supported on 64-bit platforms.

No comments: