I can guarantee that an account that unlock says is
unlocked is definitely unlocked on the DC that unlock queried.
ADUC tends to do a so-so job of reporting. I rarely trust
it for pretty much anything. :o)
I can't speak to the other tool, I have never looked at it.
I would look carefully that the same DC is being queried in
all cases.
The lockoutTime value will only be zero if the lockout has
been cleared either because someone logged on successfully after the lockout
period expired or an admin cleared the lock. Otherwise, the value will be the
time the account was locked out. If you use adfind with the -tdc or -tdcs
option, it will decode the value in lockoutTime to the actual time the account
locked. You may find different values on different DCs due to replication
latency.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon
Sent: Monday, November 21, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User Account Settings Producing Comflicting Information
Several accounts seem to contain conflicting
information (though it is just as likely faulty interpretation of the
information on my part) with respect to their lockout status. ADUC
reports these accounts as not locked, as does "Unlock" from joeware, but the
Account Lockout Status tool from Microsoft reports these accounts as locked and
the user object.lockoutTime is not 0 (that is the value I've been
monitoring with a _vbscript_). On the users side sometimes they report they
are locked out and sometimes they are not.
First, is this normal (the conflict)?
Second, is the "lockoutTime" the setting I need to monitor or is there some
other place I need to look? Third, how do I get the tools to report the
same information or should I consider certain tools suspect?
David Aragon
