The Windows 2003 Resource Kit is chock full of cool tools, but acctinfo.dll was one I had never used before today. I happened to find it when I was looking for a way to see the last time passwords were changed.
The Resource Kit’s readme file has a nice synopsis of what this tool does:
Acctinfo.dll is a dynamic link library that, when registered on a computer, adds a new property page (Additional Account Info) to the user object Properties dialog box in Active Directory Users and Computers.
This new property page displays information such as the date when a user’s password was last set, the date when a user’s password will expire, and the dates and times when a user last logged on and logged off. This information is not typically available in Active Directory Users and Computers, for one of two reasons:
In some cases, the information is not actually stored in Active Directory, but instead is calculated only when needed. For example, the date that a user’s password will expire is not stored in Active Directory; instead, Active Directory stores the date that the password was last set and the maximum allowed password age (for example, passwords must be set every 60 days). To determine the actual date that a password expires, you typically have to use scripts to retrieve this information and calculate the expiration date. Acctinfo.dll performs these calculations for you.
In some cases, information is stored locally rather than in Active Directory. For example, last logon and last logoff times are stored on each individual domain controller and are not replicated throughout the domain. Acctinfo.dll enables you to determine the last time a user logged on or logged off from a specified domain controller. If users are typically authenticated by the same domain controller, this will tell you when these users last logged on to or logged off from the domain. If users are authenticated by multiple domain controllers, you will need to install Acctinfo.dll on each of these servers and check the account information on each one.
Acctinfo.dll is primarily designed to report information about user passwords, account status, and logons. However, it also includes a mechanism for changing user passwords and for unlocking locked user accounts.
To install this utility, copy acctinfo.dll to c:\windows\system32 and execute the following from a command prompt:
If you try out Acctinfo, only to find you don’t like it, execute the following from a command prompt:
regsvr32 /u c:\windows\system32\acctinfo.dll
Here’s a list of the contents of the Additional Account Info tab that is added to Active Directory Users and Computers by acctinfo.dll:
Password Last Set – Displays the date and time when the user password was last set.
Domain Password Policies – Displays password policies for the domain, including the maximum password age and the maximum number of bad passwords allowed before an account is locked out. To view this information, click the Domain PW Info button.
Password Expires – Displays the date and time when the password will expire. This value is calculated based on the date when the password was last set and the maximum allowed password age. This means that an expiration date will be shown even for accounts for which the password never expires. To verify that an account password will not expire, clicked the Decode button. If the flag UF_DONT_EXPIRE_PASSWD appears, the password will not expire, regardless of the date shown on the Additional Account Info property page.
User Account Control – Displays values stored in the userAccountControl attribute in Active Directory; these include data such as whether a user’s password expires, whether a user requires a smart card to log on, and whether a user account is trusted for delegation. The displayed value (a number such as 512) represents the sum of all the enabled “flags” in the userAccountControl. To view the individual flags that are enabled for an account, click the Decode button to display the userAccountControl Flags dialog box. In this dialog box, the ADSI constant for each enabled flag is displayed. For example, if a user’s password has expired, the value ADS_UF_PASSWORD_EXPIRED is displayed.
Locked Out – Indicates whether or not a user account is locked out. If an account is locked, you can unlock it by clicking the Set PW On Site DC button.
Last-Logon-Timestamp – Displays the date and time that a user last logged on to this domain controller. Note: If you are accessing the Additional Account Info property page from a member server, information will be displayed for the domain controller that authenticated the user logged on to the member server.
SID and SID History – Displays the security identifier (SID) for the user account. If the user account was migrated from another domain or forest, the SID History button will be available. Clicking this button will display security identifiers that were migrated along with the user account.
GUID – Displays the globally unique identifier (GUID) for the user account.
Last Logon – Indicates the date and time that the user last logged on (that is, the date and time that the user was last authenticated by this domain controller).
Last Logoff – Indicates the date and time that the user last logged off from this domain controller.
Last Bad Logon Time – Indicates the date and time that the user last failed to log on to this domain controller.
Logon Count – Indicates the number of times that the user has successfully logged on to this domain controller.
Bad Password Count – Indicates the number of times that the user has failed to log on to this domain controller because he or she provided an incorrect password.
User DN, Site, and Domain Controller – Displays the distinguished name for the user account (for example, CN=youngrob,OU=Finance,DC=fabrikam,DC=com), as well as the Active Directory site and the name of the domain controller that last authenticated the user.
To view this information, click the Set PW on Site DC button. To view the site and domain controller information, click the button Just Find Site.
Important – If you click the Set PW On Site DC button, the Change Password on a DC in the Users Site dialog box is displayed. Unless you want to change a user’s password, be sure to click Cancel to close this dialog box. Suppose you open this dialog box and then click OK. The user’s password will be changed to no password, because the Password and Change Password text boxes are empty.
Depending on your domain password policies, this will either result in an error (because blank passwords are not allowed), or will result in the user’s password being changed to no password. If you access this dialog box for informational purposes (such as viewing the user’s distinguished name), close the dialog box by clicking Cancel.
Update: I just found out that acctinfo.dll is also a part of the Account Lockout and Management Tools and it also works on Windows 2000 servers. Acctinfo2.dll is supposedly available to Microsoft’s enterprise customers, but I have not been able to get my hands on the file. If someone would email me a link to it, I would be much obliged – thebackroomtech at gmail dot com