Shulou(Shulou.com)06/01 Report--

Background

Have you ever tried such a situation, in order to strengthen the account security of the AD domain and prevent the account from being enumerated by malicious passwords, so you set the account locking policy in the AD domain, when you set the account locking policy, found that there are really a lot of users feedback account can not be used, check this user's account has been locked, then it must need to be unlocked.

Purpose

After getting on the account locking strategy, I know that there are so many insecurity in the network. In order to be able to unlock the account in batches conveniently, I also want to do some relevant account locking tests to find out the reasons for account locking conveniently. Here we teach you to use AD management tools and gadgets to query the status of locked accounts and individual accounts after a certain point in time. I hope it will be useful to you.

LockoutStatus user status query gadget

Download address:

Http://www.microsoft.com/en-us/download/details.aspx?id=15201

On a computer that has joined the domain, log in as an administrator and open the LockoutStatus tool, as shown below:

Click file-select Target

In the pop-up window, enter the account number and the current domain name, and then click OK, which automatically queries all DC servers (this gadget is convenient here, it will automatically query the logs of all DC servers)

Querying

From the query results, you can see that the user's User State status is Not Locked, that is, the user is not locked, and the last time the wrong password was typed. Of course, there are also information such as the number of mistyped passwords.

You can also use this tool to directly unlock the user and reset the password. It's really convenient.

Query users who are locked out after a certain point in time

Note: the following example is to query users who have been locked out after 4: 00 p.m. on March 12, 2014.

Open the ADUC management tool, right-click to save the query, and then create a new query, as shown below:

Then enter the name of the query in the window of the new query, such as the user who is locked after a certain point in time, and define the location to be queried (navigate to an OU or domain)

Then click define query

In the window that defines the query, select "define search" as the query type.

Then click Advanced

Enter the following in the advanced box to query users who have been locked out after 4 p.m. on March 12, 2014 as an example:

(objectclass=user) (lockouttime > = 1303908480000000)

The number 1303908480000000 in the command needs to be converted to get it.

For time conversion, please go to the following website for automatic conversion:

Http://www.silisoftware.com/tools/date.php

As shown below:

20140312040000 is the standard time (note: 12 hours slower than China time, so it is converted to 4: 00 a.m. on March 12, after the conversion is 4: 00 p.m.), accurate to minutes and seconds. After the conversion is successful, copy the value of FILETIME and replace the value in the command.

Verify that the converted value is correct:

Open the CMD command line and enter w32tm.exe / ntte 1303908480000000

As shown below, it is in the format of 4: 00 p. M.:

Go back to the AD query, confirm the query statement again, and then click OK

Click OK again

Right-click the newly created query, and then click Refresh

You can see the locked users at this point in time. There are a total of 32 such accounts.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.