MavEtJu's Distorted View of the World - Samba

Getting Active Directory information with Samba

Back to index

---

Getting Active Directory information with Samba

Posted on 2006-11-14 13:52:00, modified on 2006-11-14 13:57:23
Tags: Computers, Samba

I was looking for a way to find out whose accounts were locked out in the Active Directory.

• Get a list of groups an user is a member of:

    [~] root@service>net ads dn 'CN=Edwin Groothuis,CN=Users,DC=barnet,DC=local' memberOf
    Got 1 replies
  
    memberOf: CN=Citrix Microsoft Office,CN=Users,DC=barnet,DC=local

• For the fun, see how many times somebody has logged in:

    [~] root@service>net ads dn 'CN=michael green,CN=Users,DC=barnet,DC=local' logonCount
    Got 1 replies
  
    logonCount: 4281

• The email addresses used on the exchange server:

    [~] root@service>net ads dn 'CN=michael green,CN=Users,DC=barnet,DC=local'  mail
    Got 1 replies
  
    mail: [email protected]

• userAccountControl shows some of the account options:

    [~] root@service>net ads dn 'CN=edwin groothuis,CN=Users,DC=barnet,DC=local'  userAccountControl
    Got 1 replies
                                  
    Normal:                                 512   0 0000 0010 0000 0000
    Account is disabled:                    514   0 0000 0010 0000 0010
    Password never expires:               66048   1 0000 0010 0000 0000

• And finally, one website gave a final clue: http://msdn.microsoft.com/msdnmag/issues/05/12/DirectoryServices/default.aspx

    [~] root@service>net ads dn 'CN=edwin groothuis,CN=Users,DC=barnet,DC=local'  lockoutTime
    Got 1 replies
  
    lockoutTime: 128079373162771852

This works for authentication failures, but I don't know if it works for the "Account Expires" lockout.

No comments | Share on Facebook | Share on Twitter