At first glance, the thought comes to mind is what's the big deal in finding out the account lockout status in Active Directory? Just right click and on the user object and click on the Account tab and you will find out whether the account is locked or not. So why even bother with this? Well to start with the Account lock out status you get native in Active Directory just gives you whether the account is locked or not. The tool I am trying to explain gives a lot more information than just whether it is locked or not.

Have you ever faced with a issue where you had to face a user account getting locked out continuously even if you have changed the password and are quite sure that you are not entering the wrong password? Or did you have to find out when the password was last changed for a particular user account. Recently my manager asked me whether the 90 day password expiry policy was still in place as he was not prompted for a password change for a long time. That's when I had to find out when was the last time he had to change his password as I knew the password policy was still in effect. I used the Account lockout status tool to find out when was the last time he had changed the password. The usage of the tool is quite simple. The tool is a stand-alone executable which does not need to be installed. Just download it, extract it and run it. Of course you need administrator privileges or access to an user account with administrative privileges on the domain where the user resides A typical results window looks like this:

As you can see this image gives a lot more information than just telling you that the account is locked.

The tool set also has additional tools which give you very useful functionality like finding out which of the processes / application is generating bad credentials locking out the accounts. Alockout.dll & Appinit.reg files in the set of files provide this functionality. To use the tool:

1. Copy alockout.dll to system32 directory on machine sending bad credentials.
2. Run the appinit.reg script to add the dll to the Appinit_DLL key.
3. Restart machine.
4. Wait for account to lockout on that machine

The output (Alockout.dll) will be created in the winnt\debug directory that will give additional information about the processes / application sending out the bad credentials.

You can also gain additional information in the Active Directory Users and Computers Snap-in that is a part of Administration Pack by adding additional property sheets to the object properties. More information can be found out on the Microsoft website.