Question : correctly identify locked out accounts

I am looking for an ldap query to run against an MS active directory to find the accounts that re actually locked out. I have seen two others that supossedly do it, but they also return accounts that are not locked out but have the "password never expires" box checked, or "user not allowed to change password" box checked.

I'm looking to find out how to determine if the "account locked" box is actually checked.

These are the two I tried unsucessfully:

lockoutTime>=1

and

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

neither gave me what I was looking for.

Thanks.

Answer : correctly identify locked out accounts

I won't steal Joe Richard's thunder, check out this post by him...and no way I could ever steal Joe's thunder anyway (one of my favorite people in the AD world)
http://readlist.com/lists/mail.activedir.org/activedir/2/11901.html
He is using his adfind tool (highly recommended)
http://www.joeware.net/freetools/tools/adfind/index.htm
I tested and lockouttime>=1 did product an account that wasn't locked but when you pipe adfind into findstr and search for locked it produces the one account that is actually locked out in my lab.

Thanks
Mike

adfind-lockout.jpg (128 KB) (File Type Details)

adfind lockouts

Random Solutions

Problem with Samba and WinNT

source based routing?

Ospf - single area vs multiple area

What happens exactly when you rest a router?

Websphere plugin for Eclipse (linux)

How do I locate my existing SSL certificate/private key from my website?

Using a serial device with terminal services.

DNS problem event ID 4515 the zone (mydomain) was previously loaded..

computer not visable