The userAccountControl is not used for indicating a locked status when using LDAP, this applies both to LDAP and the LDAP ADSI interface. If you want the status of an account using that mechanism, with K3 you can use msDS-User-Account-Control-Computed however note the constructed... You cannot query that attribute, only retrieve it as an attribute in another query. The only way to query, and how unlock does it, is via the lockoutTime attribute. As the others mentioned, you can do lockoutTime that has a value greater than 0, however it needs to be in the filter as lockoutTime>=1 since lockoutTime>0 is an invalid filter. Note that that will return both accounts that are locked as well as accounts that are already unlocked due to the lockout period expiring but no one has logged into them yet. I.E. If you are looking for accounts locked out right this second, you will get false positives. The proper way to get currently locked out accounts, the method used by unlock, is to get the domain policy for lockout duration and calculate the proper value for lockoutTime which will be the current time minus lockout duration, anything locked after that time stamp is currently locked. That is the value you use to query AD for. If I absolutely had to do it with adfind with a single command line I would use CSV mode with grep or findstr like so adfind -default -f "&(samaccounttype=805306368)(lockouttime>=1)" msDS-User-Account-Control-Computed -samdc -csv |grep "LOCKED" That would be a list of currently locked accounts. It would be relatively efficient unless you have a lot of accounts that have passed the lockout duration but no one ever logged into them afterward. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such. C:\tools>adfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com >userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\tools>unlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount 12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben