AcctInfo is a dll file which is part of the free tools for the Windows 2003 resource kit, but can be used on 2003 or 2000 machines. It enables extended properties for the Active Directory Users and Computers (ADUC) MMC snapin.

This is one of those tools which is really useful, if only you knew it was available. Then of course you have to get round to installing it on all the machines where you might need to use it. However, once you have started using it you will be very pleased that you bothered.

The extra AD information simply appears as an additional tab in a user’s properties (see screenshot, click to enlarge it).

These properties include information such as:

• when the password was last changed and when it expires (date and time plus how far away that is to save calculating)
• a button to see the policies in force relating to passwords
• the user account SID and GUID, and a button to see SID history (if the account has been migrated in from another domain)
• when they last logged on and off, or had a failed logon attempt (at the DC you are using to look at the information)
• Their total logon count as well as the current bad password count (relevant only if you have a password lockout policy)

There is also a button which enables you to reset the user’s password on a DC in the site where the user is currently working (more about this later).

Where do I get it? How do I install it?

First download the free tools for the Windows Server 2003 Resource Kit (12Mb exe file) and install them. By installing the resource kit so that other tools are already there when you need them, and you may find something useful which you did not even know existed. Serendipity can often be the best way to find which tools work for you and which are unnecessary.

Now you have downloaded it you need to register the DLL, so you need to know where it is. After installing the Resource Kit tools it will be here by default: C:\Program Files\Windows Resource Kits\Tools\Acctinfo.dll

You can choose to copy the DLL file to somewhere else such as c:\windows\system32 but you don’t need to (you can also copy the single file to a memory stick ready to put onto other machines without the hassle of installing the whole resource kit).

Either way, you need to use regsvr32 to register the dll file using the following as an example:

regsvr32 “C:\Program Files\Windows Resource Kits\Tools\Acctinfo.dll”

The quotes deal with the spaces in the path. To unregister it you would use regsvr32 /u acctinfo.dll – no need for the full path.

You should see something like the screenshot on the right.

Now when you use ADUC and go to a user account properties (right click > properties or however you prefer) you will have the extra tab, labelled “Additional Account Info” (as shown above).

Note that this does not work if you are using Small Business Server’s built-in all-in-one server management tool, but it works just as it should when you run ADUC as a normal MMC snap-in on SBS. It seems really odd that this should be the case, but there it is.

Similarly, it won’t show the extra tab if you get to the user using the “find” function in ADUC and opening the properties from a user listed in the results, because this goes via dsquery.dll. It does show up if you double click a user listed in the “members” of a group, though, which does not. Inconsistent? (Thanks to Windude in this thread at SecurityForums.com for pointing out that it fails from a Find results list.)

What additional account information is now available?

Password expiry and policies

The first cluster of details are about the users’ password – when they last changed it and when it expires, and very helpfully how far into the future this is to save having to calculate – “will my password expire while I am away on holiday for two weeks?”. There is also a button labelled “Domain PW info” which brings up a message box with information about the password policy currently in force on the domain, as shown below.

There are a couple of anomalies to watch for here, highlighted in the image below (click to enlarge).

If you set a password lockout policy and then change your mind later, it still remembers the lockout duration and time to reset the bad password count to zero if not exceeded. They don’t do anything but may confuse you if you don’t spot the “Cannot be locked out”. Incidentally, it handles multiple policies applied at domain level correctly, taking link order into account correctly (as you would hope and expect).

There also seems to be a delay sometimes for password policy changes to show up correctly here (I’m using a domain with a single domain controller for this, so there should be no replication latency). Updating policies on the box you are running ADUC on or against seems to make no difference. This is not a major issue as things are only changed very infrequently, just be aware of it. To check your policies, use GPMC, only rely on this tool to give you a quick way to check if you are fairly sure they will not have been touched for while.

Don’t forget, password policies may be different between domains, so be sure you are connecting to a DC in the right domain of the forest (I have not confirmed what happens if you use the tool on one DC in domain a.z.com to look at a user in domain b.z.com – it ought to check the domain the user object is in, but you need to verify for yourself that is the case or make sure you change the focus of ADUC first (right click the root where it says “Active Directory Users and Computers” and choose connect to domain / domain controller.

SID information

The user’s SID and GUID are shown, which may be useful for some troubleshooting tasks, or if you need to use them in a script in preference to an FQDN (perhaps if you are worried the user object may get moved later or their OU renamed).

The SIDHistory attribute will only be populated for accounts which have been brought into the domain as part of a migration using a utility such as the Active Directory Migration Tool (ADMT). This is used to provide access to resources in the source domain, including legacy systems such as Exchange 5.5.

Details about previous logons

The next area gives information about when the user last logged on and off, or had a failed logon attempt. It also shows the current bad logon count so you can see if that means their next attempt would cause a lockout (or already has done), if you are using this as a policy.

Note: these times are no different from what you get any other way in AD (such as DSQuery) – in other words it gives the last logon or logoff which took place using that particular domain controller. It does not aggregate these across the domain, so it may seem that the user has not logged on for some time if they have been successfully authenticating against another DC. Do not rely on this information alone to decide whether an account should be disabled as being out of use.

Set Password on Site DC

Rather than have to change the focus of ADUC (which collapses the tree view of the domain structure), you can use this feature to reset a user’s password directly against a domain controller on the user’s site.

You enter the computer name of the machine they are sat in front of – they can see the computer name in the dropdown box for the domain in the logon box if you don’t have physical labels on machines. Give it a password and confirm a second time, force the user to change after the next logon (if you so choose) and unlock the account at the same time (if it is locked, otherwise this is understandably greyed out).

You can choose to just identify the site and tell you which DC it would use without actually setting the password by using the “Just find site” button. Be careful here – if you click “OK” instead and the password fields are empty, this will immediately reset the password to be blank, if that is allowed by your policy. If the password you give is not compliant with your domain policies it will not be permitted, you get an error and another chance.

What are you waiting for?

It’s simple, it plugs in to your existing MMC tools and adds some very useful features. You won’t use this every day (unless you man a very busy helpdesk) but when you do need to get this information in a hurry or want to unlock a user and reset their password in one go, this just gets the job done.

Share this post :

I originally wrote this as an email reply to a colleague’s question about updating many Active Directory objects in one go, and later thought I could write it up “tutorial style”. I still think the DSQuery, DSGet, DSMod functions are underused by even fairly knowledgeable administrators, so here is a beginner’s guide to getting the most of these tools.

This is intended to show the principles for changing many AD objects’ properties in one go. There are lots more clever things you could do with this – like a lot of command line stuff, the principles are very simple but can be strung together to very powerful end results with a bit of thought and a step-by-step logical approach.

Basically, DSMOD allows you to change many (not all) of the AD properties of an object, usually a user, computer or group. This tutorial discusses users specifically, but the principles extend to other objects.

It uses the full canononical name for the object ie “CN=Eliza Doolittle, OU=etc.” but you don’t need to worry about that. The way to use it in practice is by using dsquery to do a “search” (even if this is for only one object) and pipe the returned results to dsmod, where you change one or more properties of that object.

First try something with dsquery:

dsquery user -name Chris* “OU=Building 1, dc=internal,dc=mycompany,dc=co,dc=uk”

This should give you several results for everyone whose common name matches Chris* (* as wildcard as usual, note that this also matches zero characters so *Chris* would also return these same results even though there is nothing in front of the “Chris”, but would also find “John Christopher” if he existed)

We can now find users who match certain criteria. Then we can pass the results straight into dsmod to modify the properties. A simple example:

dsquery user -samid JHC “OU=Building 2, dc=internal,dc=mycompany,dc=co,dc=uk” | dsmod user -tel “555 – 112 233″ -u AdminUser -p AdminPassword

translation:

dsquery <object type = user> where <SAM account> = JHC, in the OU …(must be full canononical form) pipe the answer into a

dsmod and modify this <object type = user> <property of object: “telephone number”> to be “555 etc” <using admin account AdminUser> <password APassword>

So, get the CN of this user, then change their telephone number to X. Simple. (By the way your Outlook web access users will love this – they can get at the internal directory securely, just by looking at the properties of a user in the Address Book, then call someone directly. You could claim you spent all weekend typing in these numbers and get the overtime as well, as long as your PHB does not read this!)

For these kinds of changes where there are lots of unique ones I would usually expect to be using some kind of source list and using excel (or whatever you prefer) to parse the bits together into commands, then copy and paste out to notepad (not even bothering to save as CSV, notepad is dumb enough to just take the results regardless). You can paste straight to a command line, but my general recommendation is always write these as batch files, this way they are easier to edit and re-use, and you can keep exact copies of what you have done as change-control records. This is really useful if you screw up and need to undo (ie overwrite) anything, like changing everyone’s phone number to the same thing or something equally daft (I’m admitting nothing at this point!). At least you can see what has been done and know what to change back.

You don’t need a user name and password if you are running the command window with sufficient privileges. I tend to run the command window with my normal account so I include the admin account details in the command for simplicity.

You need quotes around entries if they contain spaces (in the above example this is true for the OU “Building 2″ and the telephone number entry. If this was HeadOffice and just the extension number, quotes not required. As far as I can tell, it is all case-INsensitive.

Slightly more advanced example, doing many users at once, let’s say to change user passwords to enable IT staff to set up profiles for them in a new domain during a weekend office move and migration:

dsquery user “OU=Sales,OU=New York,dc=internal,dc=AcmeCorp,dc=com” | dsmod user -pwd ChangeThisNow! -u Admin -p APassword

This would change password of all users in Sales in New York to “ChangeThisNow!”.
Note: the dsquery will return matching objects anywhere in the OU you specify, or further down the OU structure. So, if you start from New York you will get everyone in New York – I would suggest you do it team by team (ish) to avoid changing things like IT staff or service accounts etc.

Having done that you now have everyone that you want with a changed password. On Sunday night you would possibly want to use:

dsquery user “OU=Sales,OU=New York,dc=internal,dc=AcmeCorp,dc=com” -limit 300 | dsmod user -mustchpwd yes

to force them all to change at next login.

You might also want

dsquery user “OU=Sales,OU=New York,dc=internal,dc=AcmeCorp,dc=com” -limit 300 | dsmod user -office “New Building 3″

Note the use of “-limit 300″ – default limit is to return 100 results, useful when you are just doing the dsquery on it’s own to make sure you have the syntax correct. If you miss this off it will do the first 100 and stop, so if you expect more results use this switch at a reasonable level (300, 1000, 100000?)

To get useful help files you can just do the usual /?
eg dsmod /?
or dsmod user /?
or dsquery computer /?
I tend to redirect the output to text files for convenience (they are quite detailed).

DSGET is also useful to get the properties in the first place (perhaps to use in Excel to parse a new batch file together), so use “dsquery | dsget ” approach to find eg all SAM ID’s for Sales, or all their email addresses or whatever.

Summary of the most useful (I have found) user properties :
pwd == user password
mustchpwd == force change of password after next logon
tel == telephone number
samid == we know this is domain-unique so it’s a good start point
profile == path to profile *
hmdir == path to home directory *
hmdrv == drive letter for home directory
fn == first name #
ln == last name #
office == Office location, building name, whatever makes sense in your organisation

*The wildcard $username$ can be used to insert the SAM id for the -profile or -hmdir parameter. Note the $, rather than % as you would get in a DOS command using an environmental variable

dsquery user “OU=Sales,OU=New York,dc=internal,dc=AcmeCorp,dc=com” | dsmod user -hmdir \\internal\DfsRoot\homes\$username$ -hmdrv u:

#eg I will use dsget to do an export of samid, lastname and firstname, then in Excel strip the first initial of the first name and use it with surname to lookup this against the telephone list supplied by the Facilities / reception team which only has surname.initial. From there I can create the script to change the telephone number entries. What I would probably do in practice is change ALL New York user telephone numbers to “unknown”, then change the ones my script can match perfectly, then we can do a query for all users whose telephone number is still “unknown” and do these by hand (eg where their first name Elizabeth is in the phone system as “B” for Beth, and for spelling errors etc.)

Very frustrating thing to watch out for, the syntax and names for the properties in dsquery, dsget and dsmod are not identical, eg in dsquery there is no syntax to search for first name alone, you have to use a wildcard-based mask, but having found them you can’t write directly back to the name, you have to write to first name, surname or display name as required. This is another reason to use batch files – when it doesn’t work because the syntax is wrong you can more easily change it and re-run.

Have fun! (?) I would reckon the amount of time you spend learning this just for any one-off exercise of changing all the passwords or telephone numbers will pay for itself straight away. You then get to reap more rewards down the line for free!