Want to know more about your users? Use AcctInfo to get extra AD information
September 17, 2007 4 Comments
AcctInfo gives you Active Directory properties at a glance.
AcctInfo is a dll file which is part of the free tools for the Windows 2003 resource kit, but can be used on 2003 or 2000 machines. It enables extended properties for the Active Directory Users and Computers (ADUC) MMC snapin.
This is one of those tools which is really useful, if only you knew it was available. Then of course you have to get round to installing it on all the machines where you might need to use it. However, once you have started using it you will be very pleased that you bothered.
The extra AD information simply appears as an additional tab in a user’s properties (see screenshot, click to enlarge it).
- when the password was last changed and when it expires (date and time plus how far away that is to save calculating)
- a button to see the policies in force relating to passwords
- the user account SID and GUID, and a button to see SID history (if the account has been migrated in from another domain)
- when they last logged on and off, or had a failed logon attempt (at the DC you are using to look at the information)
- Their total logon count as well as the current bad password count (relevant only if you have a password lockout policy)
There is also a button which enables you to reset the user’s password on a DC in the site where the user is currently working (more about this later).
Where do I get it? How do I install it?
First download the free tools for the Windows Server 2003 Resource Kit (12Mb exe file) and install them. By installing the resource kit so that other tools are already there when you need them, and you may find something useful which you did not even know existed. Serendipity can often be the best way to find which tools work for you and which are unnecessary.
Now you have downloaded it you need to register the DLL, so you need to know where it is. After installing the Resource Kit tools it will be here by default: C:\Program Files\Windows Resource Kits\Tools\Acctinfo.dll
You can choose to copy the DLL file to somewhere else such as c:\windows\system32 but you don’t need to (you can also copy the single file to a memory stick ready to put onto other machines without the hassle of installing the whole resource kit).
Either way, you need to use regsvr32 to register the dll file using the following as an example:
regsvr32 “C:\Program Files\Windows Resource Kits\Tools\Acctinfo.dll”
You should see something like the screenshot on the right.
Now when you use ADUC and go to a user account properties (right click > properties or however you prefer) you will have the extra tab, labelled “Additional Account Info” (as shown above).
Note that this does not work if you are using Small Business Server’s built-in all-in-one server management tool, but it works just as it should when you run ADUC as a normal MMC snap-in on SBS. It seems really odd that this should be the case, but there it is.
Similarly, it won’t show the extra tab if you get to the user using the “find” function in ADUC and opening the properties from a user listed in the results, because this goes via dsquery.dll. It does show up if you double click a user listed in the “members” of a group, though, which does not. Inconsistent? (Thanks to Windude in this thread at SecurityForums.com for pointing out that it fails from a Find results list.)
What additional account information is now available?
Password expiry and policies
The first cluster of details are about the users’ password – when they last changed it and when it expires, and very helpfully how far into the future this is to save having to calculate – “will my password expire while I am away on holiday for two weeks?”. There is also a button labelled “Domain PW info” which brings up a message box with information about the password policy currently in force on the domain, as shown below.
There are a couple of anomalies to watch for here, highlighted in the image below (click to enlarge).
If you set a password lockout policy and then change your mind later, it still remembers the lockout duration and time to reset the bad password count to zero if not exceeded. They don’t do anything but may confuse you if you don’t spot the “Cannot be locked out”. Incidentally, it handles multiple policies applied at domain level correctly, taking link order into account correctly (as you would hope and expect).
There also seems to be a delay sometimes for password policy changes to show up correctly here (I’m using a domain with a single domain controller for this, so there should be no replication latency). Updating policies on the box you are running ADUC on or against seems to make no difference. This is not a major issue as things are only changed very infrequently, just be aware of it. To check your policies, use GPMC, only rely on this tool to give you a quick way to check if you are fairly sure they will not have been touched for while.
Don’t forget, password policies may be different between domains, so be sure you are connecting to a DC in the right domain of the forest (I have not confirmed what happens if you use the tool on one DC in domain a.z.com to look at a user in domain b.z.com – it ought to check the domain the user object is in, but you need to verify for yourself that is the case or make sure you change the focus of ADUC first (right click the root where it says “Active Directory Users and Computers” and choose connect to domain / domain controller.
The user’s SID and GUID are shown, which may be useful for some troubleshooting tasks, or if you need to use them in a script in preference to an FQDN (perhaps if you are worried the user object may get moved later or their OU renamed).
The SIDHistory attribute will only be populated for accounts which have been brought into the domain as part of a migration using a utility such as the Active Directory Migration Tool (ADMT). This is used to provide access to resources in the source domain, including legacy systems such as Exchange 5.5.
Details about previous logons
The next area gives information about when the user last logged on and off, or had a failed logon attempt. It also shows the current bad logon count so you can see if that means their next attempt would cause a lockout (or already has done), if you are using this as a policy.
Note: these times are no different from what you get any other way in AD (such as DSQuery) – in other words it gives the last logon or logoff which took place using that particular domain controller. It does not aggregate these across the domain, so it may seem that the user has not logged on for some time if they have been successfully authenticating against another DC. Do not rely on this information alone to decide whether an account should be disabled as being out of use.
Set Password on Site DC
Rather than have to change the focus of ADUC (which collapses the tree view of the domain structure), you can use this feature to reset a user’s password directly against a domain controller on the user’s site.
You enter the computer name of the machine they are sat in front of – they can see the computer name in the dropdown box for the domain in the logon box if you don’t have physical labels on machines. Give it a password and confirm a second time, force the user to change after the next logon (if you so choose) and unlock the account at the same time (if it is locked, otherwise this is understandably greyed out).
You can choose to just identify the site and tell you which DC it would use without actually setting the password by using the “Just find site” button. Be careful here – if you click “OK” instead and the password fields are empty, this will immediately reset the password to be blank, if that is allowed by your policy. If the password you give is not compliant with your domain policies it will not be permitted, you get an error and another chance.
What are you waiting for?
It’s simple, it plugs in to your existing MMC tools and adds some very useful features. You won’t use this every day (unless you man a very busy helpdesk) but when you do need to get this information in a hurry or want to unlock a user and reset their password in one go, this just gets the job done.
|Share this post :|