Many administrators are familiar with Additional Account Info tab since there have been AD domains based on Windows Server 2003. It is to be reminded that the Additional Account Info tab to appear in the User Properties of Active Directory Users and Computers (ADUC) console, you had to download Windows 2003 Resource Kit and register a special library Acctinfo.dll .
After that if you open the properties window of any AD user, you can see a new tab containing different information useful for a domain administrator, like:
- Password Last Set – time when a user password has been changed
- Password Expires – a period of time when the password expires
- User Account Control / Locked – the account status (enabled, disabled, locked, etc.)
- Last logon (logoff) – the time of the last logon (logoff) of the user on the domain controller
- Information on the counters of failed/successful logons
- SID, GUID information and SID History
So, to add Acctinfo.dll to the Active Directory Users and Computers in the x64 version of Windows (Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 / R2), you have to:
- Download the Account Lockout and Management Tools from Microsoft website (the archive as of 8/22/2012, contains the self-extracting archive ALTools.exe with the size of 850 KB) and unpack it.
- Copy the library file acctinfo.dll to C:\Windows\SysWOW64 directory
- Start a command prompt as an administrator and register the library in the system:
- Create a shortcut for Active Directory Users and Computer (dsa.msc) snap-in, and specify in the shortcut properties that you want to run the console in the 32-bit mode:
- Open ADUC console with this shortcut and enable the display of the advanced features (View->Advanced Features)
- Left open the properties of any domain user and make sure that the new Additional Account Info tab has appeared.
You can expand the features of this tab by integrating a separate Account Lockout Status button into it, which allows to start LockoutStatus.exe (Microsoft Account Lockout Status) directly from the ADUC console. This utility can analyze the logs of the AD domain controllers and determine which domain controller has locked the account (we talked about this tool in the article about how to find the source of the user account lockout in AD domain).
All you need to do is to copy lockoutstatus.exe (from the same archive) to the %systemroot%\syswow64\ directory and restart the ADUC console. In the snapshot below, you can see that in the Additional Account Info tab, there has appeared a new Account Lockout Status button, which after pressing runs the LockoutStatus.exe tool, to which the name of the corresponding user will be transferred as an argument .
To remove the Additional Account Info tab from the ADUC, you must unregister the DLL in the system and delete the appropriate files:
1 2 3 4 5
regsvr32 /u %systemroot%\SysWOW64\acctinfo.dll del %systemroot%\SysWOW64\acctinfo.dll del %systemroot%\SysWOW64\LockoutStatus.exe