Is someone's account locked?

Is someone's account locked?

July 20, 2009

With the native NET command:

    NET USER loginname /DOMAIN | FIND /I "Account active"

The account is either locked ("Locked") or active ("Yes").

When did someone last change his password?

When did someone last change his password?

July 20, 2009

With the native NET command:

    NET USER loginname /DOMAIN | FIND /I "Password last set"
How do I reset someone's password?

How do I reset someone's password?

July 20, 2009

With the native NET command:

    NET USER loginname newpassword /DOMAIN

With (native) Windows Server 2003 commands:

    DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword
Note: To prevent the new password from being displayed on screen replace it with an asterisk (*); you will then be prompted (twice) to type the new password "blindly".
What permissions does a user have on this directory?

What permissions does a user have on this directory?

July 20, 2009

One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Window Server 2003 Resource Kit Tools is a better alternative:

    CD /D d:\directory2check
SHOWACLS /U:domain\userid

What is the full name for this login name?

What is the full name for this login name?

July 20, 2009

With the native NET command:

    NET USER loginname /DOMAIN | FIND /I " name "

With (native) Windows Server 2003 commands:

    DSQUERY USER -samid *loginname* | DSGET USER -samid -display
Note: The NET command may seem more universal, because it requires neither Active Directory nor Windows Server 2003 commands, but it is language dependent!
For non-English Windows you may need to modify FIND's search string.
What groups is this user a member of?

What groups is this user a member of?

July 20, 2009

In Windows NT 4 and later, users usually are members of global groups. These global groups in turn are members of (domain) local groups. Access permissions are given to (domain) local groups.
To check if a user has access to a resource, we need to check group membership recursively.
With (native) Windows Server 2003 commands:

    DSQUERY USER -samid loginname | DSGET USER -memberof -expand

What is this collegue's login name?

What is this collegue's login name?

July 20, 2009

My collegues often forget to mention their logon account name when calling the helpdesk, and the helpdesk doesn't always ask either. I suppose they expect me to know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:

    DSQUERY USER -name *lastname* | DSGET USER -samid -display
Note: Windows Server 2003's "DSTools" will work fine in Windows 2000 and XP too, when copied.
Keep in mind, however, that some Windows Server 2003 Active Directory functionality is not available in Windows 2000 Active Directories.