This document contains important information that is not included in Help for the Microsoft® Windows® Resource Kit Tools, including how to install the tools, along with important updates and corrections.
Acctinfo.dll: Additional Account Information Properties Page
Lockoutstatus.exe: Account Lockout Status
The following section includes information about individual Windows Resource Kit Tools that are not covered in Windows Resource Kit Tools Help (Rktools.chm).
Acctinfo.dll is a dynamic link library that, when registered on a computer, adds a new property page (Additional Account Info) to the user object Properties dialog box in Active Directory Users and Computers. This new property page displays information such as the date when a user's password was last set, the date when a user's password will expire, and the dates and times when a user last logged on and logged off. This information is not typically available in Active Directory Users and Computers, for one of two reasons:
Acctinfo.dll is primarily designed to report information about user passwords, account status, and logons. However, it also includes a mechanism for changing user passwords and for unlocking locked user accounts.
Concepts
Acctinfo.dll adds a custom property page to the user account object Properties dialog box in Active Directory Users and Computers. For more information about Active Directory Users and Computers, see Help and Support Center for Windows Server 2003.
System Requirements
The following are the system requirements for this tool:
File Required
Installing Acctinfo.dll
To access the custom property page provided by Acctinfo.dll, you must first install and register the file Acctinfo.dll.
To install and register Acctinfo.dll
regsvr32 c:\windows\system32\acctinfo.dll
If the command is successful, a dialog box appears informing you that Acctinfo.dll has been registered.
Note
Acctinfo.dll must be registered on each computer on which Active Directory Users and Computers is used to access user account information. For example, suppose you have two servers (Server A and Server B) commonly used to display user account information. If you register Acctinfo.dll on Server A, the Additional Account Info property page will be available in Active Directory Users and Computers. However, this property page will not be available in Active Directory Users and Computers on Server B. To access this property page on Server B, you must register Acctinfo.dll on Server B.
Removing Acctinfo.dll
You can remove the Additional Account Info property page from Active Directory Users and Computers by uninstalling Acctinfo.dll. To uninstall Acctinfo.dll, open a command window, and type the following (this example assumes that your
regsvr32 /u c:\windows\system32\acctinfo.dll
If the command is successful, the file Acctinfo.dll will be removed, and the Additional Account Info property page will no longer be visible in Active Directory Users and Computers. Note that this removes only the custom property page, and does not affect the data displayed on that page. This information (such as last logon and last logoff) can still be retrieved by other means.
Information retrieved by Acctinfo.dll must be viewed in Active Directory Users and Computers. To view information for a specified account, open Active Directory Users and Computers (either by using the Start menu or by typing dsa.msc in the Run dialog box). Locate and double-click the appropriate user account. In the Properties dialog box, click the Additional Account Info tab.
The Additional Account Info property page displays the following attribute values:
Additional Account Info Property Page
| Attribute | Description |
|---|---|
| Password Last Set | Displays the date and time when the user password was last set. |
| Domain Password Policies | Displays password policies for the domain, including the maximum password age and the maximum number of bad passwords allowed before an account is locked out. To view this information, click the Domain PW Info button. |
| Password Expires | Displays the date and time when the password will expire. This value is calculated based on the date when the password was last set and the maximum allowed password age. This means that an expiration date will be shown even for accounts for which the password never expires. To verify that an account password will not expire, clicked the Decode button. If the flag UF_DONT_EXPIRE_PASSWD appears, the password will not expire, regardless of the date shown on the Additional Account Info property page. |
| User Account Control | Displays values stored in the userAccountControl attribute in Active Directory; these include data such as whether a user's password expires, whether a user requires a smart card to log on, and whether a user account is trusted for delegation. The displayed value (a number such as 512) represents the sum of all the enabled "flags" in the userAccountControl. To view the individual flags that are enabled for an account, click the Decode button to display the userAccountControl Flags dialog box. In this dialog box, the ADSI constant for each enabled flag is displayed. For example, if a user's password has expired, the value ADS_UF_PASSWORD_EXPIRED is displayed. |
| Locked Out | Indicates whether or not a user account is locked out. If an account is locked, you can unlock it by clicking the Set PW On Site DC button. |
| Last-Logon-Timestamp | Displays the date and time that a user last logged on to this domain controller. Note. If you are accessing the Additional Account Info property page from a member server, information will be displayed for the domain controller that authenticated the user logged on to the member server. |
| SID and SID History | Displays the security identifier (SID) for the user account. If the user account was migrated from another domain or forest, the SID History button will be available. Clicking this button will display security identifiers that were migrated along with the user account. |
| GUID | Displays the globally unique identifier (GUID) for the user account. |
| Last Logon | Indicates the date and time that the user last logged on (that is, the date and time that the user was last authenticated by this domain controller). |
| Last Logoff | Indicates the date and time that the user last logged off from this domain controller. |
| Last Bad Logon Time | Indicates the date and time that the user last failed to log on to this domain controller. |
| Logon Count | Indicates the number of times that the user has successfully logged on to this domain controller. |
| Bad Password Count | Indicates the number of times that the user has failed to log on to this domain controller because he or she provided an incorrect password. |
| User DN, Site, and Domain Controller | Displays the distinguished name for the user account (for example, CN=youngrob,OU=Finance,DC=fabrikam,DC=com), as well as the Active Directory site and the name of the domain controller that last authenticated the user. To view this information, click the Set PW on Site DC button. To view the site and domain controller information, click the button Just Find Site. Important. If you click the Set PW On Site DC button, the Change Password on a DC in the Users Site dialog box is displayed. Unless you want to change a user's password, be sure to click Cancel to close this dialog box. Suppose you open this dialog box and then click OK. The user's password will be changed to no password, because the Password and Change Password text boxes are empty. Depending on your domain password policies, this will either result in an error (because blank passwords are not allowed), or will result in the user's password being changed to no password. If you access this dialog box for informational purposes (such as viewing the user's distinguished name), close the dialog box by clicking Cancel. |
Modifying User Account Properties from the Additional Account Info Property Page
Although Acctinfo.dll is primarily designed to display information, it also allows you to perform two commonly required tasks: changing a user's password, and unlocking a locked user account.
Changing a User's Password
You must have the right to reset user passwords for this operation to succeed. If you do not have this right, you will still be able to access the Change Password on a DC in the Users Site dialog box. However, after making the changes and clicking OK, an error message will be displayed, and the password will not be changed.
Unlocking a Locked User Account
Caution
You can select the Unlock Account check box by clicking both the Password and Confirm Password text boxes without typing anything. However, this will result in the user no longer having any password (because the two password boxes will be blank).
Account Lockout Status (LockoutStatus) is a combination command-line and GUI tool that displays lockout information about a particular user account. LockoutStatus collects information from every contactable domain controller in the target user account's domain.
File Required
lockoutstatus {/u:DomainName\UserName | /u:UserName@DomainName} [/?]
File Menu
The File menu allows the target user and domain to be changed. This menu also allows the output of LockoutStatus to be saved in text format.
View Menu
The View menu allows the user to view the status of the target users password. This menu also alows the user to refresh the main window of LockoutStatus.