List Bad Password Count
This can be handy to quickly determine if there is some sort of password attack taking place on a domain.
This can be handy to quickly determine if there is some sort of password attack taking place on a domain.
The command searches all records in the domain “*” which match the filter of being a user account and returns the specified attributes which include bad password count.
Note that the property badPasswordTime is raw a requires processing to turn in to a format of date time (see http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx).
Also the attribute is not replicated between domain controllers so each one will need to be queried.
The command below performs a query filtering for user objects and returning attributes from the user account to help idenify the account.
dsquery * “dc=example,dc=com” -filter “(&(objectCategory=person)(objectClass=user))” -attr sAMAccountName badPwdCount badPasswordTime userAccountControl distinguishedName -limit 0 -s servername.example.com
The list from the above command could be quite long so you would probably want to redirect the out put to a text file by modify the command line to:
dsquery * “dc=example,dc=com” -filter “(&(objectCategory=person)(objectClass=user))” -attr sAMAccountName badPwdCount badPasswordTime userAccountControl distinguishedName -limit 0 -s servername.example.com > c:\temp\dsquery_badpwdcount.txt
