Close this Advertisement

Server Solver

Windows 2003: Mind Your Users

Use AcctInfo.DLL to reset passwords and find the last good logon for users on your Windows 2003 systems.

Question: How can I find out the last time that the user's password was set and the last good logon on our Windows 2003 domain?

Answer: The easiest way to find out such additional account information is to install the acctinfo.dll that's part of Windows Server 2003 Resource Kit. When you install acctinfo.dll, it extends the functionality of custom Microsoft Management Consoles (MMCs) by adding a tab to the user account Properties in Active Directory Users and Computers (ADUC) console.

Here's the procedure for installing and using acctinfo.dll.

  1. Install Windows Server 2003 Resource Kit, or copy only the acctinfo.dll file into %systemroot%\system32 folder.
  2. At the command prompt (or Start, Run) type regsvr32 acctinfo.dll to register the DLL. There is no need to reboot the computer.
  3. Start Active Directory Users and Computers. If you have the ADUC console already open, close and restart the console.
  4. Go to a user account Properties page and you'll notice a new tab called Additional Account Info that lists the following:
    Password Last Set
    Password Expires
    User Account Control
    Locked Status
    Last Logon Timestamp
    User SID
    User GUID
    Last Logon
    Last Logoff
    Last Bad Logon
    Logon Count
    Bad Password

It also shows the domain password info, which you can view in the Figure 1.

Domain Password Info
Figure 1. The ADUC now shows the domain password info.

The Set PW on Site DC button lets you set the password for a user on a DC in the users’ site. The idea is to be able to change a user’s password on a DC in his/her site, so that urgent replication can pass that information quickly to all the other DCs in that site. This can also be useful if you want to find out at which site the user is logging on (see Figure 2). For example, the screen shot below shows the site where the user logged on.

Where's the User?
Figure 2. View the site where the user is logging on and change user’s password.

If you decide to later remove the DLL for some reason, type the following command at Start, Run.

regsvr32 /u acctinfo.dll

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column; MCPmag.com baseball caps go to the published submitter.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

By the way, there are lots of folks out there trying to sell you this and other DLLs for about $10, but you can download the DLL for free from Microsoft as part of the Windows Server 2003 Resource Kit Tools.

A couple of things to keep in mind when using the Additional Account Info tab. There’s no help associated with any item, so don’t bother clicking on the question mark on the upper right-hand side. Also, you’ll discover that the Password Expires box only shows when user’s password would have expired after it was last set. For example, if your company policy states that the last time the user’s password was set was April 9, 2005 as indicated by Password Last Set box, then the Password Expires box will show that the password expires on May 22, 2005, which is 90 days from the time the password was last changed. This can be very confusing because even if the user’s account (such as a service account) is configured for password to never expire, the Password Expires box will still show that it will expire. I noticed on my test server where the Administrator account never expires; it shows that the password expired a year ago, even though I am currently logged on with that account.

Another thing you’ll discover is that when you do an LDAP search to locate a user, the Additional Account Info tab will be missing. Bummer! You have to go to the Properties of an individual user account in ADUC to see this tab.

Have you guys experienced any other “features” in the Additional Account Info tab that I’ve missed? If so, I would love to hear from you. Please send me an e-mail at alexander@techgalaxy.net.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at alexander@techgalaxy.net.

Reader Comments:

Mon, Nov 2, 2009 Eddy Washington

I am looking for confirmation that this does not work with Windows 7. Not having any luck getting the tab to show up.

Thu, Apr 23, 2009 Doug Omaha

EkMunda: to see those properties at the bottom, like last logon and bad password count, from another DC, point your AD Users and Computers console to the other DC. Right-click at the top of the console tree, select "Connect to Domain Controller", and follow the prompts. When you open the user's tab again, it will get those values from the new DC.

...doug

Fri, Apr 25, 2008 Anonymous Anonymous

Very good article. Thanks to Mr. Alexander.

Fri, Mar 14, 2008 EkMunda Toronto

This is a very useful article, but the only issue i see is that if you have multiple Domain controllers, and a user logs on to DC01 and your AD is pointed to DC02 the information i s not synched between the DC's. is there a way to synch the DC's

Wed, Aug 29, 2007 Anonymous Anonymous

very bad

Tue, Feb 20, 2007 Anonymous Anonymous

Awesome tool, but too bad it can't be used in conjunction with 'find'.

Tue, Dec 26, 2006 Jay MN

Thanks for having this info out here I have used the dll before and just could not remember how to register it Thanks

Mon, Nov 6, 2006 Joseph Anonymous

Very nice.

Sat, Jun 10, 2006 Mike Anonymous

Excellent article, very useful information. Good job.

Wed, Mar 22, 2006 Anonymous Anonymous

excellent article

Thu, Dec 22, 2005 Anonymous Anonymous

An Awesome article.

Wed, Nov 23, 2005 Mark Stadnik Sydney

Zubair, how does acctinfo.dll determine the user's site, and therefore which DC to use? Secondly, are you supposed to put the DC name or the actual user's computer name in the "Users Computer" field. I found that the wrong site was reported.

Mon, Oct 10, 2005 Sid India

The most useful article I have read , which was also applied siccessfully.

Thanks a ton,
Sid

Wed, Aug 17, 2005 Anonymous Anonymous

Very helpful. Subject explained very thouroughly. I hope to see more from this author.

Tue, Aug 9, 2005 Anonymous Anonymous

We currently use Win32::OLE combined with ADSI to pull the lastlogontime
from all Domain controllers. Then, a
script can run once a week to query those accounts that haven't been logged
into for awhile and disable them. Accessing this information is extremely useful for our company. You must install the dll on each of the domain controllers where you will need to access this information.

Tue, Aug 9, 2005 Anonymous Anonymous

Great article, I have had trouble finding out this information. However, you have explained a rather confusing topic very well.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above