I was a programmer 20+ years ago – not anymore. And I don’t understand all this fancy C++/C# crap that gets used. But ILSpy comes in really handy when trying to figure out what’s really going on in Exchange/PowerShell… (and other stuff, but those are my focus)
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Thursday, January 4, 2018 6:45 PM To: ntsysadm Subject: Re: [NTSysADM] RE: Question regarding how AD is evaluating account lockout status <mutter> STFW for ilspy <more muttering> Oh, that's interesting. I don't believe I've heard of that before - looks quite useful for real programmers, which unfortunately doesn't include me. Still, might be worth looking through some powershell cmdlets to see what I can see. Thanks, Kurt On Thu, Jan 4, 2018 at 2:26 PM, Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote: I don’t know the answer to your question, but I’ll tell you how I’d figure it out. Two ways: [1] Use ILSpy and look at the cmdlet code. [2] look at both lists of users and figure out the differences by comparing a few users and their attributes. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Christopher Bodnar Sent: Thursday, January 4, 2018 4:38 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Question regarding how AD is evaluating account lockout status Got an AD question was hoping you someone can shed some light on for me. I don’t think anything is wrong, but just wanted to understand this a little better. It has to do with how AD is evaluating that an account is “locked out”. So for example if I run this PowerShell command: Search-ADAccount -lockedout I get 347 results. But if I run this LDAP query: (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1)) I get 454. So it seems there are 107 accounts that have the “lockoutTime” attribute set, but are NOT considered “locked out” by AD. That’s where I’m having problems understanding why. Also note our Account Lockout Duration is “0” so there should be no gap when an account is automatically enabled and a user logs back in for the first time. All locked out accounts need to be unlocked by an Admin in our environment. Also I’m pretty sure that the LOCKOUT value of the userAccountControl attribute (16) is not an accurate way to determine this. So for these 107 accounts that AD does not consider locked out, but have a lockoutTime greater than 0, how is that being evaluated? My understanding was that AD evaluates this for an authentication request, and looks at the badPwdCount, lockoutTime, and lockout duration policy in AD if applicable. So for example if a user has hit 5 bad passwords (and the account lockout threshold is 5), AD will then look at the lockoutTime value, and the account lockout Duration value in Group Policy if applicable, and if the time is past the sum of those 2 values, the badPwdCount and LockoutTime values are reset, and the account is considered unlocked. Otherwise it evaluates to locked out. Another factor is that I don’t see any correlation in the badPwdcount value for these 2 groups of users. That value seems to be all over the place, including null values. Which is another thing I don’t understand. How can an account be locked out, and the badPwdCount value be NULL? If an account was locked out, that value had to increment, and even if it’s reset, it goes to 0, not back to NULL. Also I’m very familiar with Richard Mueller’s article on this topic: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx Appreciate any input. Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:(610)%20807-6459> 3900 Burgess Place, Bethlehem, PA 18017<https://maps.google.com/?q=3900+Burgess+Place,+Bethlehem,+PA+18017&entry=gmail&source=g> christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
