Try querying where lockoutTime is > 0. Here's an article ... http://support.microsoft.com/kb/250873
:m:dsm:cci:mvp | marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such... C:\tools>adfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com >userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\tools>unlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount 12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben
