Acctinfo.dll
is a dynamic link library that, when registered on a computer, adds a new
property page (Additional Account Info) to the user object Properties
dialog box in Active Directory Users and Computers. This new property page
displays information such as the date when a user's password was last set, the
date when a user's password will expire, and the dates and times when a user
last logged on and logged off. This information is not typically available in
Active Directory Users and Computers, for one of two reasons:
·
In some cases, the information is not actually stored in
Active Directory, but instead is calculated only when needed. For example, the date
that a user's password will expire is not stored in Active Directory; instead,
Active Directory stores the date that the password was last set and the maximum
allowed password age (for example, passwords must be set every 60 days). To
determine the actual date that a password expires, you typically have to use
scripts to retrieve this information and calculate the expiration date.
Acctinfo.dll performs these calculations for you.
·
In some cases, information is stored locally rather than
in Active Directory. For example, last logon and last logoff times are stored on each
individual domain controller and are not replicated throughout the domain.
Acctinfo.dll enables you to determine the last time a user logged on or logged
off from a specified domain controller. If users are typically authenticated by
the same domain controller, this will tell you when these users last logged on
to or logged off from the domain. If users are authenticated by multiple domain
controllers, you will need to install Acctinfo.dll on each of these servers and
check the account information on each one.
Acctinfo.dll
is primarily designed to report information about user passwords, account
status, and logons. However, it also includes a mechanism for changing user
passwords and for unlocking locked user accounts.
Concepts
Acctinfo.dll
adds a custom property page to the user account object Properties dialog
box in Active Directory Users and Computers. For more information about Active
Directory Users and Computers, see Help and
System
Requirements
The following
are the system requirements for this tool:
·
Windows Server 2003 or Windows 2000 Server operating system
·
You must be an Administrator to install Acctinfo.dll.
File
Required
·
Acctinfo.dll
Installing
Acctinfo.dll
To access the
custom property page provided by Acctinfo.dll, you must first install and
register the file Acctinfo.dll.
To install and
register Acctinfo.dll
1.
Copy the file Acctinfo.dll to the
2.
Open a command window, and type the following (this
example assumes that your
regsvr32 c:\windows\system32\acctinfo.dll
If the command
is successful, a dialog box appears informing you that Acctinfo.dll has been
registered.
Note
Acctinfo.dll
must be registered on each computer on which Active Directory Users and
Computers is used to access user account information. For example, suppose you
have two servers (Server A and Server B) commonly used to display user account
information. If you register Acctinfo.dll on Server A, the Additional
Account Info property page will be available in Active Directory Users and
Computers. However, this property page will not be available in Active
Directory Users and Computers on Server B. To access this property page on
Server B, you must register Acctinfo.dll on Server B.
Removing
Acctinfo.dll
You can remove
the Additional Account Info property page from Active Directory Users
and Computers by uninstalling Acctinfo.dll. To uninstall Acctinfo.dll, open a
command window, and type the following (this example assumes that your
regsvr32 /u c:\windows\system32\acctinfo.dll
If the command
is successful, the file Acctinfo.dll will be removed, and the Additional
Account Info property page will no longer be visible in Active Directory
Users and Computers. Note that this removes only the custom property page, and
does not affect the data displayed on that page. This information (such as last
logon and last logoff) can still be retrieved by other means.
Information
retrieved by Acctinfo.dll must be viewed in Active Directory Users and
Computers. To view information for a specified account, open Active Directory
Users and Computers (either by using the Start menu or by typing dsa.msc in the Run dialog box). Locate and
double-click the appropriate user account. In the Properties dialog box,
click the Additional Account Info tab.
The Additional
Account Info property page displays the following attribute values:
Additional
Account Info Property Page
|
Attribute |
Description |
|
Password Last Set |
Displays the date and time when the user password was last set. |
|
Domain Password Policies |
Displays password policies for the domain, including the maximum
password age and the maximum number of bad passwords allowed before an
account is locked out. To view this information, click the Domain PW Info
button. |
|
Password Expires |
Displays the date and time when the password will expire. This
value is calculated based on the date when the password was last set and the
maximum allowed password age. This means that an expiration date will be
shown even for accounts for which the password never expires. To verify that
an account password will not expire, clicked the Decode button. If the
flag UF_DONT_EXPIRE_PASSWD appears, the password will not expire, regardless
of the date shown on the Additional Account Info property page. |
|
User Account Control |
Displays values stored in the userAccountControl
attribute in Active Directory; these include data such as whether a user's
password expires, whether a user requires a smart card to log on, and whether
a user account is trusted for delegation. The displayed value (a number such
as 512) represents the sum of all the enabled "flags" in the userAccountControl. To view the individual flags that are
enabled for an account, click the Decode button to display the userAccountControl Flags dialog box. In this
dialog box, the ADSI constant for each enabled flag is displayed. For
example, if a user's password has expired, the value ADS_UF_PASSWORD_EXPIRED
is displayed. |
|
Locked Out |
Indicates whether or not a user account is locked out. If an
account is locked, you can unlock it by clicking the Set PW On Site DC
button. |
|
Last-Logon-Timestamp |
Displays the date and time that a user last logged on to this
domain controller. Note. If you are accessing
the Additional Account Info property page from a member server, information
will be displayed for the domain controller that authenticated the user
logged on to the member server. |
|
SID and SID History |
Displays the security identifier (SID) for the user account. If
the user account was migrated from another domain or forest, the SID
History button will be available. Clicking this button will display
security identifiers that were migrated along with the user account. |
|
GUID |
Displays the globally unique identifier (GUID) for the user
account. |
|
Last Logon |
Indicates the date and time that the user last logged on (that
is, the date and time that the user was last authenticated by this domain
controller). |
|
Last Logoff |
Indicates the date and time that the user last logged off from
this domain controller. |
|
Last Bad Logon Time |
Indicates the date and time that the user last failed to log on
to this domain controller. |
|
Logon Count |
Indicates the number of times that the user has successfully
logged on to this domain controller. |
|
Bad Password Count |
Indicates the number of times that the user has failed to log on
to this domain controller because he or she provided an incorrect password. |
|
User DN, Site, and Domain Controller |
Displays the distinguished name for the user account (for
example, CN=youngrob,OU=Finance,DC=fabrikam,DC=com), as
well as the Active Directory site and the name of the domain controller that
last authenticated the user. To view this
information, click the Set PW on Site DC button. To view the site and
domain controller information, click the button Just Find Site. Important. If you click the Set
PW On Site DC button, the Change Password on a DC in the Users Site
dialog box is displayed. Unless you want to change a user's password, be sure
to click Cancel to close this dialog box. Suppose you open this dialog
box and then click OK. The user's password will be changed to no password,
because the Password and Change Password text boxes are empty.
Depending on your domain password policies, this will either result in an
error (because blank passwords are not allowed), or will result in the user's
password being changed to no password. If you access this dialog box for
informational purposes (such as viewing the user's distinguished name), close
the dialog box by clicking Cancel. |
Modifying
User Account Properties from the Additional Account Info Property Page
Although
Acctinfo.dll is primarily designed to display information, it also allows you
to perform two commonly required tasks: changing a user's password, and
unlocking a locked user account.
Changing a
User's Password
1.
On the Additional Account Info property page, click Set PW On Site DC.
2.
In the Change Password on a DC in the Users Site dialog
box, type a new password in the Password and Confirm Password
text boxes. Optionally, you can also select User Must Change Password At Next Logon. If selected, the user will be able to use
their new password to logon to the domain, but will then be prompted to change
their password.
3.
Click OK.
You must have
the right to reset user passwords for this operation to succeed. If you do not
have this right, you will still be able to access the Change Password on a
DC in the Users Site dialog box. However, after making the changes and
clicking OK, an error message will be displayed, and the password will
not be changed.
Unlocking a
Locked User Account
1.
On the Additional Account Info property page, click Set PW On Site DC.
2.
In the Change Password on a DC in the Users Site dialog
box, type a new password in the Password and Confirm Password
text boxes. You cannot unlock a user account in this dialog box without setting
a password as well.
Caution
You can select the Unlock Account check box by clicking
both the Password and Confirm Password text boxes without typing
anything. However, this will result in the user no longer having any password
(because the two password boxes will be blank).
3.
Select the Unlock Account check box.
4.
Click OK.