|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
djpimpdaddy
Guest
|
 Posted: Thu Jul 26, 2007 3:12 pm Post subject: Technical Q: Is there a CMD for DSQuery user -lockedout? |
 |
|
I've been studying for my MCSE now and I am trying to mess around with
some of the command line features more to learn them. I know that you
can quickly get a list of accounts that are disabled via the dsquery
command, but is there any switch or parameter to determine a list of
domain users that have tripped their "retard checkbox", I mean locked
themselves out of the network?
We have a ton of users that seem to think that 6 character passwords
are just too much to remember. I actually suggested to a few of them
to write them down on post it notes. Yes, I know, that was a last
ditch effort for some of these bright bulbs. Company of 80 and about
10+ password resets a day.....help...
I was hoping it would be as simple as:
DSQUERY users -whoops > c:\tards.txt
Joking aside, is there a way to do this? I cannot locate any method in
the book or on Microsoft. |
|
| Back to top |
|
 |
|
|
John R
Guest
|
| Posted: Thu Jul 26, 2007 3:12 pm Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
"djpimpdaddy" <djpimpdaddy@gmail.com> wrote in message
news:1185454441.904532.261130@z28g2000prd.googlegroups.com...
| Quote: | I've been studying for my MCSE now and I am trying to mess around with
some of the command line features more to learn them. I know that you
can quickly get a list of accounts that are disabled via the dsquery
command, but is there any switch or parameter to determine a list of
domain users that have tripped their "retard checkbox", I mean locked
themselves out of the network?
We have a ton of users that seem to think that 6 character passwords
are just too much to remember. I actually suggested to a few of them
to write them down on post it notes. Yes, I know, that was a last
ditch effort for some of these bright bulbs. Company of 80 and about
10+ password resets a day.....help...
I was hoping it would be as simple as:
DSQUERY users -whoops > c:\tards.txt
Joking aside, is there a way to do this? I cannot locate any method in
the book or on Microsoft.
|
There is no dsquery user switch for what you want. You can find those by
going to help and support, and typing in ...
"directory service" "command-line" dsquery
and then clicking on the link on the left about dsquery : command-line
reference
I've been playing with an LDAP query
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
However, that seems to bring up other stuff that isn't actually locked out.
If I can get it to work, I'll post back, or maybe someone else here has done
this before.
John R |
|
| Back to top |
|
|
djpimpdaddy
Guest
|
| Posted: Thu Jul 26, 2007 3:13 pm Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
On Jul 26, 9:45 am, "John R" <jsr^^^813@zoom^^^internet.net> wrote:
| Quote: | "djpimpdaddy" <djpimpda...@gmail.com> wrote in message
news:1185454441.904532.261130@z28g2000prd.googlegroups.com...
I've been studying for my MCSE now and I am trying to mess around with
some of the command line features more to learn them. I know that you
can quickly get a list of accounts that are disabled via the dsquery
command, but is there any switch or parameter to determine a list of
domain users that have tripped their "retard checkbox", I mean locked
themselves out of the network?
We have a ton of users that seem to think that 6 character passwords
are just too much to remember. I actually suggested to a few of them
to write them down on post it notes. Yes, I know, that was a last
ditch effort for some of these bright bulbs. Company of 80 and about
10+ password resets a day.....help...
I was hoping it would be as simple as:
DSQUERY users -whoops > c:\tards.txt
Joking aside, is there a way to do this? I cannot locate any method in
the book or on Microsoft.
There is no dsquery user switch for what you want. You can find those by
going to help and support, and typing in ...
"directory service" "command-line" dsquery
and then clicking on the link on the left about dsquery : command-line
reference
I've been playing with an LDAP query
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
However, that seems to bring up other stuff that isn't actually locked out.
If I can get it to work, I'll post back, or maybe someone else here has done
this before.
John R- Hide quoted text -
- Show quoted text -
|
I thought that I was on to something by enabling Account Auditing and
searching the security log on the DC for event 644 and "failure" or
something like that, but you have to do it on all of your DC event
logs. I even made a mmc with all the dc event logs on it but it still
seems like there should be an easy or automatic way to do this. |
|
| Back to top |
|
|
John R
Guest
|
| Posted: Sat Jul 28, 2007 12:38 am Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
"djpimpdaddy" <djpimpdaddy@gmail.com> wrote in message
news:1185565873.812570.40200@i13g2000prf.googlegroups.com...
| Quote: | I think they are too busy flinging poo at each other on another
thread... lol
How do try to run that query? Never done LDAP yet, I think..
|
Did you ever wonder what that 'Saved Queries' node is in Active Directory
Users and Computers?
Create a new saved query, I called mine 'Account Lockouts', change the find
drop down to 'Custom Search', go to the advanced tab, and enter the query.
(Note: leave off the outside parenthesis and the first ampersand)
However, when I run it, it tells me "inappropriate matching". Yet, from
everything I've found, the query I have is correct.
If we get it working, it will be just what you want, and you'll be able to
just click on the user objects listed and change the locked out flag.
John R |
|
| Back to top |
|
|
John R
Guest
|
| Posted: Sat Jul 28, 2007 12:38 am Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
"John R" <jsr^^^813@zoom^^^internet.net> wrote in message
news:uZty5oI0HHA.3768@TK2MSFTNGP06.phx.gbl...
| Quote: | "djpimpdaddy" <djpimpdaddy@gmail.com> wrote in message
news:1185565873.812570.40200@i13g2000prf.googlegroups.com...
I think they are too busy flinging poo at each other on another
thread... lol
How do try to run that query? Never done LDAP yet, I think..
Did you ever wonder what that 'Saved Queries' node is in Active Directory
Users and Computers?
Create a new saved query, I called mine 'Account Lockouts', change the
find drop down to 'Custom Search', go to the advanced tab, and enter the
query. (Note: leave off the outside parenthesis and the first ampersand)
However, when I run it, it tells me "inappropriate matching". Yet, from
everything I've found, the query I have is correct.
If we get it working, it will be just what you want, and you'll be able to
just click on the user objects listed and change the locked out flag.
John R
|
You'll probably need to run in on the DC that holds the PDC emulator role.
When I tripped some accounts here, they did not show up immediately on the
local DC but showed up right away on the PDC emulator.
John R |
|
| Back to top |
|
|
catwalker63
Guest
|
| Posted: Sat Jul 28, 2007 12:38 am Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
djpimpdaddy <djpimpdaddy@gmail.com> prattled ceaselessly in
news:1185565873.812570.40200@i13g2000prf.googlegroups.com:
| Quote: | I think they are too busy flinging poo at each other on another
thread... lol
|
I'm so staying out of that. I know nothing, nothing.
--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear." |
|
| Back to top |
|
|
John R
Guest
|
| Posted: Sat Jul 28, 2007 12:38 am Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
"catwalker63" <_catwalker63_@hotmamamail.com> wrote in message
news:Xns997A9D6D9D52Ccatwalker63athotmail@216.196.97.136...
| Quote: | djpimpdaddy <djpimpdaddy@gmail.com> prattled ceaselessly in
news:1185565873.812570.40200@i13g2000prf.googlegroups.com:
I'm so staying out of that. I know nothing, nothing.
|
Hoooooooogaaaaaaaaan :)
I think they won't be happy until they've finally beaten that horse into an
undistinguishable pile of fur.
John R |
|
| Back to top |
|
|
|
|
John R
Guest
|
| Posted: Sat Jul 28, 2007 12:38 am Post subject: Re: Technical Q: Is there a CMD for DSQuery user -lockedout? |
|
|
"John R" <jsr^^^813@zoom^^^internet.net> wrote in message
news:uhf0plK0HHA.2312@TK2MSFTNGP05.phx.gbl...
| Quote: |
"catwalker63" <_catwalker63_@hotmamamail.com> wrote in message
news:Xns997A9D6D9D52Ccatwalker63athotmail@216.196.97.136...
djpimpdaddy <djpimpdaddy@gmail.com> prattled ceaselessly in
news:1185565873.812570.40200@i13g2000prf.googlegroups.com:
I'm so staying out of that. I know nothing, nothing.
|
Sorry dj and cat, bad editing skills
$1 to cat
John R |
|
| Back to top |
|
|
|
|
