Does Microsoft provide or plan to provide special tools to troubleshoot account lockouts in Windows 2000 and later domain environments?
From its early versions, Windows has shipped with a security feature known as account lockout that protects against account spoofing and hijacking. Account lockout assures that user accounts automatically become unavailable when a user fails to log on after entering a set number of bad passwords. The administrator uses a Windows domain's account lockout security policy to define the bad password threshold. In large networking environments with multiple domain controllers (DCs), account lockouts can be incredibly hard to troubleshoot because an account lockout can occur on every DC, and using the native Windows management tools to discover where the account lockout took place is difficult at best.
With the introduction of Windows Server 2003, Microsoft added some interesting new account lockout–related tools to its management-tool portfolio. You can use the tools to address Windows 2003 and Win2K account lockouts. Some of these tools also work with Windows XP. Microsoft provides some of these tools as part of the Microsoft Windows Server 2003 Resource Kit. All the tools are also available in a free downloadable software package at the Microsoft Web site. Table 1 provides an overview of these tools.
The acctinfo.dll file adds a new Additional Account Info tab to an Active Directory (AD) user account’s properties, as Figure 1 shows. The new tab presents different types of account logon–related information. An interesting feature of the tool is its ability to reset a user’s password on a specific DC in the domain. To reset such a password, click Set PW On Site DC at the bottom of the tab. To add the tab to your AD account properties, register acctinfo.dll on every machine from which you’re using the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. To register a DLL in Windows, use the regsvr32.exe command-line tool.
The alockout.dll tools help identify the program or service that's causing an account lockout (i.e., the entity that's sending the wrong credentials). With the downloadable altools.exe, the alockout.dll file comes in two versions: one for Windows 2003 and Win2K and another for XP. To install the tool, use the appinit.reg registry file that comes with the tool. When an account lockout occurs after you install the DLL, alockout.dll generates an entry in the alockout.txt file, which is stored in the \%windir%\debug folder. Microsoft doesn't recommend using this tool on servers running important network services or applications (e.g., Microsoft Exchange Server).
Aloinfo.exe is a command-line tool that displays a list of the user accounts stored in AD and the number of days before each user's password expires. To retrieve this information, type the following command at the command line:
Aloinfo /expires /server:servername>
As Figure 2 shows, lockoutstatus.exe lets you query for the account lockout–related information of a particular user account on the different DCs of a domain. The tool displays the following information:
- The status of the Bad Pwd Count attribute on different DCs. The Bad Pwd Count attribute is an AD user object attribute that stores the number of times a user entered a bad or wrong password.
- The date and time a bad password was last entered.
- The date and time the password was last set.
- The date and time the account was locked out.
- The name of the DC that locked the account in the "originating lock" field (this is the DC that wrote to the Lockouttime attribute of the user account).
Under the hood, lockoutstatus.exe uses the nlparse.exe tool to parse the Netlogon logs for specific Netlogon return status codes. You can then save the tool’s output to a comma-separated value (CSV) text file.