Server Solver

Windows 2003: Mind Your Users

Use AcctInfo.DLL to reset passwords and find the last good logon for users on your Windows 2003 systems.

• By Zubair Alexander
• 08/08/2005

Answer: The easiest way to find out such additional account information is to install the acctinfo.dll that's part of Windows Server 2003 Resource Kit. When you install acctinfo.dll, it extends the functionality of custom Microsoft Management Consoles (MMCs) by adding a tab to the user account Properties in Active Directory Users and Computers (ADUC) console.

Here's the procedure for installing and using acctinfo.dll.

1. Install Windows Server 2003 Resource Kit, or copy only the acctinfo.dll file into %systemroot%\system32 folder.
2. At the command prompt (or Start, Run) type regsvr32 acctinfo.dll to register the DLL. There is no need to reboot the computer.
3. Start Active Directory Users and Computers. If you have the ADUC console already open, close and restart the console.
4. Go to a user account Properties page and you'll notice a new tab called Additional Account Info that lists the following:
   Password Last Set
   Password Expires
   User Account Control
   Locked Status
   Last Logon Timestamp
   User SID
   User GUID
   Last Logon
   Last Logoff
   Last Bad Logon
   Logon Count
   Bad Password

It also shows the domain password info, which you can view in the Figure 1.

Figure 1. The ADUC now shows the domain password info.

The Set PW on Site DC button lets you set the password for a user on a DC in the users’ site. The idea is to be able to change a user’s password on a DC in his/her site, so that urgent replication can pass that information quickly to all the other DCs in that site. This can also be useful if you want to find out at which site the user is logging on (see Figure 2). For example, the screen shot below shows the site where the user logged on.

Figure 2. View the site where the user is logging on and change user’s password.

If you decide to later remove the DLL for some reason, type the following command at Start, Run.

regsvr32 /u acctinfo.dll

By the way, there are lots of folks out there trying to sell you this and other DLLs for about $10, but you can download the DLL for free from Microsoft as part of the Windows Server 2003 Resource Kit Tools.

A couple of things to keep in mind when using the Additional Account Info tab. There’s no help associated with any item, so don’t bother clicking on the question mark on the upper right-hand side. Also, you’ll discover that the Password Expires box only shows when user’s password would have expired after it was last set. For example, if your company policy states that the last time the user’s password was set was April 9, 2005 as indicated by Password Last Set box, then the Password Expires box will show that the password expires on May 22, 2005, which is 90 days from the time the password was last changed. This can be very confusing because even if the user’s account (such as a service account) is configured for password to never expire, the Password Expires box will still show that it will expire. I noticed on my test server where the Administrator account never expires; it shows that the password expired a year ago, even though I am currently logged on with that account.

Another thing you’ll discover is that when you do an LDAP search to locate a user, the Additional Account Info tab will be missing. Bummer! You have to go to the Properties of an individual user account in ADUC to see this tab.

Have you guys experienced any other “features” in the Additional Account Info tab that I’ve missed? If so, I would love to hear from you. Please send me an e-mail at [email protected].