The world's most trusted forum on Active Directory Security
We are trying to built an Active Directory tool-set for our admins, and were wondering if we should consider the use of LockoutStatus.exe to get account lockout status in our Active Directory?
We believe it can get deliver helpful lockout status information, but it seems like that's the only thing it can do. We're trying to minimize the number of tools we use, just so that we can keep things simple.
I mean there are a lot of single-task tools that Microsoft akes available, but if you take all of them into account, it becomes quite cumbersome to keep track of them. maintain them and use them.
Are there any alternatives to LockoutStatus.exe that you might be aware of, or using?
Not sure if you've looked at adfind? Its a really cool command-line utility and I'm almost certain it could help you find out account lockout status info.
Something to definitelly consider.
Have you looked at adinfo? It is another free tool like adfind, written by a young Brit, and I think it may be able to help you get account lockout status in our Active Directory.
Thanks for the pointers to adinfo and adfind. While I'm sure they're fine tools, unfortunately, like its starting to happen in many organizations, we're (all IT admins in the company) no longer permitted to use any free tools to do anything related to IT management. This is by policy, and is strictly enforced.
The only exception they're making is to let us use tools shipped by Microsoft, such as replmon, dsrevoke, dsacls etc. So, if unless you have any other suggestions, I'll continue to make do with LockoutStatus.exe.
Checkout this tool. Its not from Microsoft, but its one of the tools endorsed by Microsoft. It was pretty affordable, and has 100+ canned yet fully customizable reports. We got started with a free trial, and liked it, so we licensed it. Basically, point, click done + LDAP filters + CSV exports.