Question : correctly identify locked out accounts

I am looking for an ldap query to run against an MS active directory to find the accounts that re actually locked out. I have seen two others that supossedly do it, but they also return accounts that are not locked out but have the "password never expires" box checked, or "user not allowed to change password" box checked.

I'm looking to find out how to determine if the "account locked" box is actually checked.

These are the two I tried unsucessfully:

lockoutTime>=1

and

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

neither gave me what I was looking for.

Thanks.

Answer : correctly identify locked out accounts

I won't steal Joe Richard's thunder, check out this post by him...and no way I could ever steal Joe's thunder anyway (one of my favorite people in the AD world)
http://readlist.com/lists/mail.activedir.org/activedir/2/11901.html
He is using his adfind tool (highly recommended)
http://www.joeware.net/freetools/tools/adfind/index.htm
I tested and lockouttime>=1 did product an account that wasn't locked but when you pipe adfind into findstr and search for locked it produces the one account that is actually locked out in my lab.

Thanks
Mike

adfind-lockout.jpg (128 KB) (File Type Details)

adfind lockouts

Random Solutions

How do I change the "Coporate Directory" name in Cisco Communication Manager 7.2

Network drives keep disappearing

configure outlook express imap / pop to save all incoming and outgoing maill

Cisco Switch - spanning tree command

Problems with Domain/DNS

Unable to run RSoP/GPResult

Vlan and unmanaged switch

Simple question - connecting multiple switches to router to increase internet bandwidth

PCs on the LAN slow down intermittently