Additional AD User Account Information
There is a lot of information that Active Directory stores in its database that is not necessarily available through common tools such as Active Directory Users and Computers MMC.
With the Active Directory Users and Computers MMC installed, and by using part of Microsoft’s Account Lockout and Management Tool, extra user account information can be made accessible, this includes:
- Password last set time
- Password expiry time
- SID and GUID
- Last Logon \ Logoff \ Bad Password time
- Logon \ Bad Password count
NB: The last logon and logoff attributes within a Windows 2000 domain are not replicated between domain controllers… therefore not accurate. However this has been fixed with AD 2003 by adding another attribute into the schema called lastLogonTimestamp which is replicated.
The first step is to get the acctinfo.dll available from the above tool or here.
Next, copy the file to C:\WINDOWS\SYSTEM32 then run the command
regsvr32 C:\WINDOWS\SYSTEM32\acctinfo.dll
This will register the dll, when opening the Users and Computers console you will notice another tab called Additional Account Info. This is where the extra information is displayed.