How to retrieve all locked user account from ADAM?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi,


I try to retrieve all locked user account from an ADAM partition with
an ldifDe command.

I think that the best way is to use one of the constructed attributes
"ms-DS-UserAccountAutoLocked" or "msDS-User-Account-Control-Computed".
Unfortunately, it seems that ADAM does not allow searching with these
attributes:

- The following command :
ldifde -f <outputFile>
-s <myServer>
-d <myUserDn> -r "(objectClass=*)"
-l ms-DS-UserAccountAutoLocked,msDS-User-Account-Control-Computed
retrieve the following output
dn: <myUserDn>
changetype: add
msDS-User-Account-Control-Computed: 528
ms-DS-UserAccountAutoLocked: TRUE

- The following command :
ldifde -f <outputFile>
-s <myServer>
-d <myUserDn>
-r "(ms-DS-UserAccountAutoLocked=TRUE)"
-l ms-DS-UserAccountAutoLocked,msDS-User-Account-Control-Computed
does not retrieve any entry and does not generate error.

- The following command :
ldifde -f <outputFile>
-s <myServer>
-d <myUserDn>
-r "(msDS-User-Account-Control-Computed:1.2.840.113556.1.4.803:=16)"
-l ms-DS-UserAccountAutoLocked,msDS-User-Account-Control-Computed
does not retrieve any entry and does not generate error.
(Command build from the URL [1] and URL [2])

It seems that it is possible to retrieve these attributes but not use
them for searching in ADAM.

With Active Directory, it is possible to use "UserAccountControl"
Attribute.

The only solution to find locked account is to use "lockoutTime"
attribute
(cf URL 3):
- Retrieve "Lockout Duration" from security policy
(practically, it is hard-coded)
- Retrieve current time
- Compute <CurrentTime> - <Lockout-Duration> ( not very simple !)
- Use LDAP Filter "(lockoutTime >= <CurrentTime> -
<Lockout-Duration>)"

.... just quit complex ...

Is it an easier method ?

Thanks in advance,

M. T.


REFERENCES:
[1] : http://forums.asp.net/1064491/ShowPost.aspx
[2] : http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
[3] :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lockouttime.asp

.

Relevant Pages

  • Re: News protocol (RFC 977) implementation problem
    ... > There's a NEWNEWS command in the RFC specs, which should retrieve the ... I don't think NEWNEWS is still much in use nowadays, ... The server says here that it has a total of 20120 messages between #1 ...
    (microsoft.public.dotnet.languages.vb)
  • Re: ADAM Foreign Principal Group Membership.
    ... can retrieve the group membership of a foreign principal in ADAM? ... locate and retrieve some standard properties - maybe displayname/cn etc.. ... > So, you should just be able to impersonate, bind to ADAM and get your ... >> Yes - Integrated Authentication only no anonymous access allowed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Command Line GET Question
    ... You can use following command to retrieve latest version of all the files in ... project MyProject as well as all the files in all subfolders of the project ... > VSS database, ...
    (microsoft.public.vstudio.sourcesafe)
  • Re: Extract Users From One Particular OU
    ... retrieve all the users in one particular OU in Active Directory. ... Custom scripts work too of course. ... Another command line utility that can output information on users is Joe ... Richard Mueller ...
    (microsoft.public.win2000.active_directory)
  • Re: Extract Users From One Particular OU
    ... retrieve all the users in one particular OU in Active Directory. ... Custom scripts work too of course. ... Another command line utility that can output information on users is Joe ... Richard Mueller ...
    (microsoft.public.win2000.active_directory)