Announcement

Collapse
No announcement yet.

Unlocking accounts on remote DCs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unlocking accounts on remote DCs

    There is a product called Altools from Microsoft that adds an additional tab in the user property page. This dll allows unlocking locked accounts from the user's local DC to bypass the replication wait. The tab only shows for accounts that are locked. Is it possible to get the same ability in Hyena?

    Here is the article that explains the function. http://www.windowsecurity.com/articl...t-Lockout.html

  • #2
    Re: Unlocking accounts on remote DCs

    Thanks for pointing out this article, which was interesting. It reminded me that we need to figure out how to better integrate property sheet extensions into Hyena. That way, you could select the Shell Properties for a user and see this new ADU&C tab.

    I don't understand completely what MIcrosoft is doing with this new dialog, but there is one big difference between how SystemTools vs. Microsoft do things with respect to accessing AD information. When using a Microsoft AD management application, its a bit hidden which domain controller you are accessing. With Hyena, we use a specific DC on each operation, which you can either control on the fly (right click on a domain, select Set Source Domain Controller, interactively (navigate to a DC directly), or permanently (File->Manage Object View).

    So you can control password resets and account lockout directly by using one of these methods to target a specific DC. The only limitation is that we don't have a dialog like what Microsoft added here to tell you which DC is in the user's site. Is that what you are after ?
    Kevin Stanush
    SystemTools Software Inc.

    Comment


    • #3
      Re: Unlocking accounts on remote DCs

      Showing the DC when making the change would be helpful but without the modified acctinfo.dll we don't have a way to quickly identify the user's authenticating DC without the user being logged on (problem if the user's account is locked). Today we have to cross reference the user's IP address or site information with AD Sites and Services to know which DC to make the change on when unlocking the object accounts. AD Sites and Services is a plugin that we may not want everyone to have access to.

      The modified Acctinfo.dll goes this extra step in doing a lookup of the DC by cross referencing the computer account with Sites and Services. It then allows you to unlock or change the user's password on the remote DC in the same property page. The extra functionality would be welcome.

      Comment


      • #4
        Re: Unlocking accounts on remote DCs

        I'll research the mechanism used to identify a user's local DC (ie one of the local DCs to the user). In Hyena, when you look at a user's property page, at the top of the dialog is the Netbios or DNS path of the DC that is connected to. You can also see if in any AD LDAP path, as we always put the server name in the path:

        LDAP://server/CN=User,CN=User,DC=etc.

        This is an interesting problem that I'll look into further.
        Kevin Stanush
        SystemTools Software Inc.

        Comment


        • #5
          Re: Unlocking accounts on remote DCs

          I found the top of the dialog box reports the account information from the server I am authenticated to, not necessarily where the user last authenticated. The perticular property is the LOGINSERVER from the "Set" command, unfortunately this is a volitile property and is not returned using WMI. Searching the computer registry shows this again as a volitile setting only when the user is logged in.

          I will keep researching it as well. Thanks

          Comment


          • #6
            Re: Unlocking accounts on remote DCs

            In the current beta version of Hyena v6.6, you can now get access to the same additional account functions tab that you have in MMC in Hyena's 'Shell Properties' dialog.

            We also know how to determine a user's logon server and may use this in a future feature.
            Kevin Stanush
            SystemTools Software Inc.

            Comment


            • #7
              Re: Unlocking accounts on remote DCs

              I saw that in the latest beta version. Thanks and keep up the great work!

              Comment

              Working...
              X