View library of free security tools
The utility queries properties defined on an Active Directory object. Valid object types include users, groups, computers and containers. The utility displays some properties that are not visible via the Windows’ GUI.
- The name of the object to query must be specified in LDAP format. E.g. CN=Administrator,CN=Users.
- For those properties that Windows does not replicate across domain controllers (indicated by 'NR'), there is an option to query all DCs in the domain in order to retrieve the property’s latest, most current value.
- If you are not sure of an object’s name, you can perform a wild-card search of Active Directory using part of its name.
Search Active Directory for an Object
You can locate an object in Active Directory by entering part of the object’s name as search text. SekChek will return a list of all objects that contain the search text as part of their name.
Click OK to select the object.
The tool queries any Active Directory object for the following properties:
- Account disabled. Indicates whether an account has been disabled by a system administrator.
- Account expiry date. Displays the expiry date for the account. Expired accounts cannot be used to logon to the system.
- Account locked. Indicates whether Windows has locked the account due to repeated invalid logon attempts.
- Certificates published. Displays the object’s X.509 certificates published in Active Directory.
- DACL. The access permissions (Access Control List) defined on the Active Directory object.
- GUID. The object’s Globally Unique Identifier.
- IsCriticalSystemObject. Indicates whether the object must be replicated during installation of a new replica.
- IsDeleted. Indicates whether the object has been marked for deletion. Windows deletes objects marked for deletion after the tombstone period has expired.
- Last failed logon. The time of the last failed logon attempt for an account. Not replicated across DCs. (local time)
- Last logon. The time of the last successful domain logon for the account. Not replicated across DCs. (local time)
- Last logontimestamp. The time of the last successful domain logon for the account. Replicated, accurate to approximately 14 days. (GMT)
- Last password change. The time the account’s password was last changed. (local time)
- Object class. The object’s class type. E.g. user, group, container.
- Object protected from accidental deletion. Indicates whether the Protect object from accidental deletion option is checked for the object.
- Password must change at next logon. Indicates whether the account’s password must be changed at the next logon.
- Password required. Indicates whether a password is required to logon to the system.
- SAM account type. Bit flags that indicate the type of the account.
- Security identifier. The object’s unique SID.
- systemFlags. Bit flags that define additional properties for the object class.
- Update Sequence Number changed. The USN value assigned by Active Directory for the latest change.
- Update Sequence Number created. The USN value assigned by Active Directory when the object was created.
- UserAccountControl. Bit flags that control the behaviour of the account.
- When changed. The time that the object was last changed. (GMT)
- When created. The time that the object was created. (GMT)
About SekChek IPS
SekChek® IPS is a leading provider of computer security review, auditing and benchmarking tools and has served many of the world’s largest companies and public institutions in 130 countries since 1996. SekChek’s clients include security and audit professionals in IT departments, audit firms, internal audit functions, regulatory compliance and corporate governance departments. SekChek’s benchmarking features compare security policies and controls against a unique statistics database containing more than 30 million anonymous and real-life security measurements compiled from 70,000 computer systems across all major industry sectors.