Posted on August 13, 2014 · Posted in Active Directory

Additional Account Info Tab in AD Users And Computers Console

Many administrators are familiar with Additional Account Info tab since there have been AD domains based on Windows Server 2003. It is to be reminded that the Additional Account Info tab to appear in the User Properties of Active Directory Users and Computers (ADUC) console, you had to download Windows 2003 Resource Kit and register a special library Acctinfo.dll .

After that if you open the properties window of any AD user, you can see a new tab containing different information useful for a domain administrator, like:

  • Password Last Set – time when a user password has been changed
  • Password Expires – a period of time when the password expires
  • User Account Control / Locked – the account status (enabled, disabled, locked, etc.)
  • Last logon (logoff) – the time of the last logon (logoff) of the user on the domain controller
  • Information on the counters of failed/successful logons
  • SID, GUID information and SID History

Additional Account Info tab in active directory console on windows server 2003

Tip. Actually, all this information can be obtained with ADSIEdit or in the Attribute Editor tab in User Properties (which appeared in ADUC version for Windows 7), but the data presented in the Additional Account Info tab is more extended, informative and convenient for analysis.

So, to add Acctinfo.dll to the Active Directory Users and Computers in the x64 version of Windows (Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 / R2), you have to:

  • Download the Account Lockout and Management Tools from Microsoft website (the archive as of 8/22/2012, contains the self-extracting archive ALTools.exe with the size of 850 KB) and unpack it.
  • Copy the library file acctinfo.dll to C:\Windows\SysWOW64 directoryacctinfo.dll cop to syswow64
  • Start a command prompt as an administrator and register the library in the system:
    regsvr32 C:\Windows\SysWOW64\acctinfo.dll

    regsvr32 acctinfo.dll

  • Create a shortcut for Active Directory Users and Computer (dsa.msc) snap-in, and specify in the shortcut properties that you want to run the console in the 32-bit mode:
    C:\Windows\System32\dsa.msc -32

    regsvr32 acctinfo.dll

  • Open ADUC console with this shortcut and enable the display of the advanced features (View->Advanced Features) Active Directory Users and Computers Show Advanced Features
  • Left open the properties of any domain user and make sure that the new Additional Account Info tab has appeared. Additional Account Info tab on ADUC windows 2012 r2 x64

You can expand the features of this tab by integrating a separate Account Lockout Status button into it, which allows to start LockoutStatus.exe (Microsoft Account Lockout Status) directly from the ADUC console. This utility can analyze the logs of the AD domain controllers and determine which domain controller has locked the account (we talked about this tool in the article about how to find the source of the user account lockout in AD domain).

All you need to do is to copy lockoutstatus.exe (from the same archive) to the %systemroot%\syswow64\ directory and restart the ADUC console. In the snapshot below, you can see that in the Additional Account Info tab, there has appeared a new Account Lockout Status button, which after pressing runs the LockoutStatus.exe tool, to which the name of the corresponding user will be transferred as an argument .LockoutStatus in aduc console

Note. All the procedure described above should run on 32-bit versions of Windows with a single remark: copy library files to directory %systemroot%\system32\. However, I haven’t tested this variant, for I didn’t have any 32-bit OSs at hand.

To remove the Additional Account Info tab from the ADUC, you must unregister the DLL in the system and delete the appropriate files:

regsvr32 /u %systemroot%\SysWOW64\acctinfo.dll

del %systemroot%\SysWOW64\acctinfo.dll

del %systemroot%\SysWOW64\LockoutStatus.exe



Related Articles