Thank you Joe, I meant no disrespect. My apologies if
it sounded like I was saying something disparaging about your tools. I
have complete trust in them, they have never taken me down a wrong path. I
was more concerned because other indicators seemed contradictory. My
"should I consider certain tools suspect" comment was directed at
them.
Thank you for the information on lockoutTime. Is
there a better place to look? My script scans all our
user accounts looking for lockouts (currently based on lockoutTime not
being 0) and reports them when found. I use the info as sort of
"early warning" for when one or more accounts are under attack (we are a
university and suffer attacks, usually from students, almost weekly and just
before finals we get multiple attacks daily).
David Aragon
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, November 21, 2005 12:24 PM
To: [email protected]
Subject: RE: [ActiveDir] User Account Settings Producing Comflicting InformationI can guarantee that an account that unlock says is unlocked is definitely unlocked on the DC that unlock queried.ADUC tends to do a so-so job of reporting. I rarely trust it for pretty much anything. :o)I can't speak to the other tool, I have never looked at it.I would look carefully that the same DC is being queried in all cases.The lockoutTime value will only be zero if the lockout has been cleared either because someone logged on successfully after the lockout period expired or an admin cleared the lock. Otherwise, the value will be the time the account was locked out. If you use adfind with the -tdc or -tdcs option, it will decode the value in lockoutTime to the actual time the account locked. You may find different values on different DCs due to replication latency.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon
Sent: Monday, November 21, 2005 2:26 PM
To: [email protected]
Subject: [ActiveDir] User Account Settings Producing Comflicting InformationSeveral accounts seem to contain conflicting information (though it is just as likely faulty interpretation of the information on my part) with respect to their lockout status. ADUC reports these accounts as not locked, as does "Unlock" from joeware, but the Account Lockout Status tool from Microsoft reports these accounts as locked and the user object.lockoutTime is not 0 (that is the value I've been monitoring with a _vbscript_). On the users side sometimes they report they are locked out and sometimes they are not.First, is this normal (the conflict)? Second, is the "lockoutTime" the setting I need to monitor or is there some other place I need to look? Third, how do I get the tools to report the same information or should I consider certain tools suspect?David Aragon
