ACCOUNT LOCK OUT

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I need to be able to lock out (not disable) an AD account from the command
line.

I was hoping that I might be able to use dsmod to achieve this but it seems
not.

Any clever soul out there have any suggestions how I might be able to do this.

Cheers - Chris
 
Hi Chris,

The only way to do this is to actually enter the incorrect password more
times then you configured account lockout threshold. A simple way to do
this via the command line is with something like this run multiple times:

net use * \\server\c$ /user:domain\user badpassword

The account may be automatically unlocked if you have configured that
option in your lockout policy for the domain. The default would be to
automatically unlock the account after 30 minutes.

Hope this helps,

Brian Delaney
Microsoft Canada
 
Brian Delaney said:
Hi Chris,

The only way to do this is to actually enter the incorrect password more
times then you configured account lockout threshold. A simple way to do
this via the command line is with something like this run multiple times:

net use * \\server\c$ /user:domain\user badpassword

The account may be automatically unlocked if you have configured that
option in your lockout policy for the domain. The default would be to
automatically unlock the account after 30 minutes.
Click to expand...

Actually I believe the question 'should' have been how to
DISABLE the account. Lockout is an automatic setting but
disabling the account is something the admin does (unless the
admin is testing lockout behavior and then the idea of purposely
using the wrong password makes sense.)

dsmod USER -disabled YES | NO

If one were really testing the lockout of an account, then using
a "for ... in ... do" loop might make sense:

for /l %a in (1,1,5) do net use * \\server\c$ /user:domain\user
badpassword

Perhaps putting in a delay to check the time involved (i.e., & sleep 300).

Sleep is in the Reskit tools or the Win32 "unx" tools on the
Internet.
 
Hi

Thanks for your replies. I understand that this might seem like a strange
request.

The reason I want to lockout an account rather than disable an account is
tied up with the associated Exchange mailbox. Sometimes we have a need to
retain an account and mailbox after someone has left or has gone on long term
absence. At the same time we want to make the account inactive in some way so
that it cannot be used.

If we disable the account any future mail produces an Non Delivery Report
and is bounced. My idea of locking out the account would prevent this, and
allow us to configure Exchange to forward any new mail to another mailbox.

Our first idea was just to remove the e-mail address from the old account,
and add it to the account of the person covering the absent post, but we were
advised that this was not recommended as Recipient Update Services (RUS) in
Exchange would complain.
 
Back
Top