Active Directory up to 2008 network (our servers are a mix of 2008, 2003…)
I'm looking for a quick way to query AD to find out what users are locked out, preferably from a batch or script file, to monitor for possible issues with either user accounts being attacked by an automated attack or just anomalies in the network.
I've Googled and my Google-fu has failed; I found a query off Microsoft's own knowledgebase that cites a string to use on Server 2003 with the management snap-in's saved queries (http://support.microsoft.com/kb/555131) but when I entered it, the query returned 400 users that a spot-check showed did NOT have a checkmark in the "Account is locked out" box under "account." In fact, I don't see anything wrong with their accounts.
Is there a simple utility (wisesoft bulkadusers apparently uses this method behind the scenes, since it's results were also wrong) that will give a count of users and possibly their user object names? Script? Something?
Best Answer
You can use PowerShell and Quest tools.
You can just query all the AD user objects like this:
Get-QADUser -SizeLimit 0 | Where {$_.AccountIsLockedOut -eq "true"}If you go this route, you could create ps1 files that are scheduled to run and you can export to these to a csv or even to a website - by using
ConvertTo-Htmlthen exporting it to a html file. For example:Get-QADUser -SizeLimit 0 | Where {$_.AccountIsLockedOut -eq "true"} | Export-Csv c:\lockedoutusers.csvor html:
Get-QADUser -SizeLimit 0 | Where {$_.AccountIsLockedOut -eq "true"} | CovertTo-Html > c:\lockedoutusers.htmlOr if you wanted you could just throw it up on a gridview for an interactive view:
Get-QADUser -SizeLimit 0 | Where {$_.AccountIsLockedOut -eq "true"} | Out-GridView