Using acctinfo.dll on Windows Servers to see additional Active Directory user account information

The Windows 2003 Resource Kit is chock full of cool tools, but acctinfo.dll was one I had never used before today.  I happened to find it when I was looking for a way to see the last time passwords were changed.

The Resource Kit’s readme file has a nice synopsis of what this tool does:

Acctinfo.dll is a dynamic link library that, when registered on a computer, adds a new property page (Additional Account Info) to the user object Properties dialog box in Active Directory Users and Computers.

This new property page displays information such as the date when a user’s password was last set, the date when a user’s password will expire, and the dates and times when a user last logged on and logged off. This information is not typically available in Active Directory Users and Computers, for one of two reasons:

In some cases, the information is not actually stored in Active Directory, but instead is calculated only when needed. For example, the date that a user’s password will expire is not stored in Active Directory; instead, Active Directory stores the date that the password was last set and the maximum allowed password age (for example, passwords must be set every 60 days). To determine the actual date that a password expires, you typically have to use scripts to retrieve this information and calculate the expiration date. Acctinfo.dll performs these calculations for you.

In some cases, information is stored locally rather than in Active Directory. For example, last logon and last logoff times are stored on each individual domain controller and are not replicated throughout the domain. Acctinfo.dll enables you to determine the last time a user logged on or logged off from a specified domain controller. If users are typically authenticated by the same domain controller, this will tell you when these users last logged on to or logged off from the domain. If users are authenticated by multiple domain controllers, you will need to install Acctinfo.dll on each of these servers and check the account information on each one.

Acctinfo.dll is primarily designed to report information about user passwords, account status, and logons. However, it also includes a mechanism for changing user passwords and for unlocking locked user accounts.

To install this utility, copy acctinfo.dll to c:\windows\system32 and execute the following from a command prompt:

regsvr32 c:\windows\system32\acctinfo.dll

If you try out Acctinfo, only to find you don’t like it, execute the following from a command prompt:

regsvr32 /u c:\windows\system32\acctinfo.dll

Here’s a list of the contents of the Additional Account Info tab that is added to Active Directory Users and Computers by acctinfo.dll:

Password Last Set – Displays the date and time when the user password was last set.

Domain Password Policies – Displays password policies for the domain, including the maximum password age and the maximum number of bad passwords allowed before an account is locked out. To view this information, click the Domain PW Info button.

Password Expires – Displays the date and time when the password will expire. This value is calculated based on the date when the password was last set and the maximum allowed password age. This means that an expiration date will be shown even for accounts for which the password never expires. To verify that an account password will not expire, clicked the Decode button. If the flag UF_DONT_EXPIRE_PASSWD appears, the password will not expire, regardless of the date shown on the Additional Account Info property page.

User Account Control – Displays values stored in the userAccountControl attribute in Active Directory; these include data such as whether a user’s password expires, whether a user requires a smart card to log on, and whether a user account is trusted for delegation. The displayed value (a number such as 512) represents the sum of all the enabled “flags” in the userAccountControl. To view the individual flags that are enabled for an account, click the Decode button to display the userAccountControl Flags dialog box.  In this dialog box, the ADSI constant for each enabled flag is displayed. For example, if a user’s password has expired, the value ADS_UF_PASSWORD_EXPIRED is displayed.

Locked Out – Indicates whether or not a user account is locked out. If an account is locked, you can unlock it by clicking the Set PW On Site DC button.

Last-Logon-Timestamp – Displays the date and time that a user last logged on to this domain controller.  Note: If you are accessing the Additional Account Info property page from a member server, information will be displayed for the domain controller that authenticated the user logged on to the member server.

SID and SID History – Displays the security identifier (SID) for the user account. If the user account was migrated from another domain or forest, the SID History button will be available. Clicking this button will display security identifiers that were migrated along with the user account.

GUID – Displays the globally unique identifier (GUID) for the user account.

Last Logon – Indicates the date and time that the user last logged on (that is, the date and time that the user was last authenticated by this domain controller).

Last Logoff – Indicates the date and time that the user last logged off from this domain controller.

Last Bad Logon Time – Indicates the date and time that the user last failed to log on to this domain controller.

Logon Count – Indicates the number of times that the user has successfully logged on to this domain controller.

Bad Password Count – Indicates the number of times that the user has failed to log on to this domain controller because he or she provided an incorrect password.

User DN, Site, and Domain Controller – Displays the distinguished name for the user account (for example, CN=youngrob,OU=Finance,DC=fabrikam,DC=com), as well as the Active Directory site and the name of the domain controller that last authenticated the user.

To view this information, click the Set PW on Site DC button. To view the site and domain controller information, click the button Just Find Site.

Important – If you click the Set PW On Site DC button, the Change Password on a DC in the Users Site dialog box is displayed. Unless you want to change a user’s password, be sure to click Cancel to close this dialog box. Suppose you open this dialog box and then click OK. The user’s password will be changed to no password, because the Password and Change Password text boxes are empty.

Depending on your domain password policies, this will either result in an error (because blank passwords are not allowed), or will result in the user’s password being changed to no password. If you access this dialog box for informational purposes (such as viewing the user’s distinguished name), close the dialog box by clicking Cancel.

Update:  I just found out that acctinfo.dll is also a part of the Account Lockout and Management Tools and it also works on Windows 2000 servers.  Acctinfo2.dll is supposedly available to Microsoft’s enterprise customers, but I have not been able to get my hands on the file.  If someone would email me a link to it, I would be much obliged –  thebackroomtech at gmail dot com

Comments [3]

  1. Hi Julie, excellent post about acctinfo.dll. I just found out about your blog today from the guys at Casting From the Server Room. I just wanted to add something I’ve found. I’m using acctinfo.dll from the Account Lockout and Mgmt Tools, so the one in the 2003 Reskit my behave differently, but I’ve found that if you pull up a user’s properties from the find dialog the Additional Account Info tab isn’t there. You have to drill down to the user’s container in AD and open their properties from there. It took me a while to figure out why it was sometimes missing. As I said, I think I’m using an older version of the dll, so YMMV. Thanks for a great blog!

  2. Julie, another great tip. This is something that should be registered on all domain controllers.

    We should keep in mind that a lot of the values are only for that domain controller. So if you have a multisite environment that information may not be accurate, especially if you move between the sites. The same is true if you have multiple DC’s on the same site. The reason is those properties are not stored in the Global Catalog therefore are not replicated.

    Great post, keep em coming…

  3. Hello there,
    I have also been chasing the v2 of this dll.
    Have you managed to get hold of a copy yet?
    I have asked our MS account Manager twice now for this, and he says he can’t find it, which seems rediculous.
    I’m beginning to think it’s some kind of Urban Legend (together with a photoshopped dialog box screen)…..
    Thanks,
    Chris

    @Doug: Yes, supposedly v2 fixes the “find” limitation.

Leave a Reply

Your email address will not be published. Required fields are marked *