Server Solver

Windows 2003: Mind Your Users

Use AcctInfo.DLL to reset passwords and find the last good logon for users on your Windows 2003 systems.

Question: How can I find out the last time that the user's password was set and the last good logon on our Windows 2003 domain?

Answer: The easiest way to find out such additional account information is to install the acctinfo.dll that's part of Windows Server 2003 Resource Kit. When you install acctinfo.dll, it extends the functionality of custom Microsoft Management Consoles (MMCs) by adding a tab to the user account Properties in Active Directory Users and Computers (ADUC) console.

Here's the procedure for installing and using acctinfo.dll.

  1. Install Windows Server 2003 Resource Kit, or copy only the acctinfo.dll file into %systemroot%\system32 folder.
  2. At the command prompt (or Start, Run) type regsvr32 acctinfo.dll to register the DLL. There is no need to reboot the computer.
  3. Start Active Directory Users and Computers. If you have the ADUC console already open, close and restart the console.
  4. Go to a user account Properties page and you'll notice a new tab called Additional Account Info that lists the following:
    Password Last Set
    Password Expires
    User Account Control
    Locked Status
    Last Logon Timestamp
    User SID
    User GUID
    Last Logon
    Last Logoff
    Last Bad Logon
    Logon Count
    Bad Password

It also shows the domain password info, which you can view in the Figure 1.

Domain Password Info
Figure 1. The ADUC now shows the domain password info.

The Set PW on Site DC button lets you set the password for a user on a DC in the users’ site. The idea is to be able to change a user’s password on a DC in his/her site, so that urgent replication can pass that information quickly to all the other DCs in that site. This can also be useful if you want to find out at which site the user is logging on (see Figure 2). For example, the screen shot below shows the site where the user logged on.

Where's the User?
Figure 2. View the site where the user is logging on and change user’s password.

If you decide to later remove the DLL for some reason, type the following command at Start, Run.

regsvr32 /u acctinfo.dll

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column; MCPmag.com baseball caps go to the published submitter.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

By the way, there are lots of folks out there trying to sell you this and other DLLs for about $10, but you can download the DLL for free from Microsoft as part of the Windows Server 2003 Resource Kit Tools.

A couple of things to keep in mind when using the Additional Account Info tab. There’s no help associated with any item, so don’t bother clicking on the question mark on the upper right-hand side. Also, you’ll discover that the Password Expires box only shows when user’s password would have expired after it was last set. For example, if your company policy states that the last time the user’s password was set was April 9, 2005 as indicated by Password Last Set box, then the Password Expires box will show that the password expires on May 22, 2005, which is 90 days from the time the password was last changed. This can be very confusing because even if the user’s account (such as a service account) is configured for password to never expire, the Password Expires box will still show that it will expire. I noticed on my test server where the Administrator account never expires; it shows that the password expired a year ago, even though I am currently logged on with that account.

Another thing you’ll discover is that when you do an LDAP search to locate a user, the Additional Account Info tab will be missing. Bummer! You have to go to the Properties of an individual user account in ADUC to see this tab.

Have you guys experienced any other “features” in the Additional Account Info tab that I’ve missed? If so, I would love to hear from you. Please send me an e-mail at alexander@techgalaxy.net.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at alexander@techgalaxy.net.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.