Determine which domain controller accounts are locked in Active Directory

This tool allows you to select a target account and determine which DC the account is being locked from.

This tip was submitted to the SearchWin2000.com tip exchange by member Brian Anderson. Please let other users know how useful it is by rating it below.


We have over 50 domain controllers in our Active Directory domain. Occasionally, we get calls from users reporting account lockouts that are happening several times a day. This problem occurs 99% of the time after a user has logged onto a computer, changed his password, and then forgotten to log off.

To find the computer that's causing the lockouts, we use Microsoft's free utility, AL.exe. This tool allows you to select a target account and determine which DC the account is being locked from. Once the lockout DC is found, the last bad password time will also be displayed. Within AL, right click on the DC open the security event log, and scroll to the time of the last bad password. This is much easier than using Event Comber on 50 domain controllers.

This was first published in January 2004

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close