• State Not Answered
  • Replies 1 reply
  • Subscribers 62 subscribers
  • Views 1160 views
  • Users 0 members are here
Options
Related

ARS WEB - Custom view showing locked accounts

ScotJay
over 2 years ago

Hello,

I've been trying to establish a custom view that shows locked user accounts, as ARS perceives them, but I'm not having much luck. 

When viewing a container with users, locked user accounts are shown with an orange icon, and the when you open the properties of a locked account, a tick box is shown next to "Account is locked".

I tried using a view with a custom ldap filter : (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1), however this shows me additional accounts which match the ldap filter (including the locked account shown in orange), but these accounts do not have a tick in the "Account is locked" box in their properties, implying that ARS uses something else to select / highlight actual locked users.

Is there a way to create a custom view showing locked user accounts as ARS perceives them?

Many thanks,

Jay

Parents
  • 0 over 2 years ago

    This might be a bit clumsy but it would get the job done:

    1) Create a stored, Boolean virtual attribute (sample name:edsvaLockedAccount)

    2 ) Create a Managed Unit that uses edsvaLockedAccount = TRUE for its membership rule.  This is where you wil be able to see your locked accounts.

    3) Create a simple Active Roles Scheduled Task Powershell script that every so often (15 minutes?) and:

    - enumerates your Managed Unit and clears edsvaLockedAccount for all accounts found there

    - executes "Search-ADAccount -Locked" and marks virtual attribute edsvaLockedAccount with TRUE for any account it finds.

    The success of all this depends on your domain's current setup for account lockouts.  i.e. many organizations automatically unlock AD accounts after a certain period of time.

Reply
  • 0 over 2 years ago

    This might be a bit clumsy but it would get the job done:

    1) Create a stored, Boolean virtual attribute (sample name:edsvaLockedAccount)

    2 ) Create a Managed Unit that uses edsvaLockedAccount = TRUE for its membership rule.  This is where you wil be able to see your locked accounts.

    3) Create a simple Active Roles Scheduled Task Powershell script that every so often (15 minutes?) and:

    - enumerates your Managed Unit and clears edsvaLockedAccount for all accounts found there

    - executes "Search-ADAccount -Locked" and marks virtual attribute edsvaLockedAccount with TRUE for any account it finds.

    The success of all this depends on your domain's current setup for account lockouts.  i.e. many organizations automatically unlock AD accounts after a certain period of time.

Children
No Data