Free Active Directory User Maintenance Tool

LUMAX
Type: GUI

Create reports of important AD user information like Real Last Last Logon Time, Lockout State, Creation Date, Password Expiry Date, Fine Grained Password Policy State and much more... Convenient ways to highlight, filter, sort and export these information.

Lumax is a free tool for Active Directory environments which provides important properties of user or computer accounts in a simple, fast and easy view.

The characteristics of users, workstations and other objects are evaluated using the LDAP protocol from the relevant AD domain controllers. The following information is displayed with LUMAX:

	Object Name There are three different ways LUMAX can display this name, it depends on the 'Show Friendly Names' button and the 'Show Object in all Subcontainers' button . If you active the friendly names output, then just the relative objects names are shown - if you display objects recursive in all subcontainers, then LUMAX shows you the container hierarchy in the name output. The full LDAP Distinguished Name (DN) is shown in case you deactivate the friendly name output.
	Login Name This is the NetBIOS name of the logon account, as it is used in credentials in the form of 'Domain\LoginName'. This property is stored in the directory in the LDAP attribute 'sAMAccountName'.
	User Principal Name This is the modern UPN logon name of the account in the format 'LoginName@domain.com'. This property is stored in the directory in the LDAP attribute 'userPrincipalName'.
	Disabled If an account is deactivated, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	Locked If an account is locked by the intruder detection, just an 'x' is shown here, together with an indication of how long the lock-out will last. For this purpose, the LDAP attributes 'lockoutTime' is evaluated taking into account the domain-wide settings and also any existing password policies with different settings that apply to the account.
	Last Logon This is the time of last login in the domain. The LDAP attribute 'lastLogon' is evaluated here. This attribute is not replicated between domain controllers, therefore LUMAX reads requests the data from all domain controllers and then determines the respective true last logon time. It may be, however, that the credentials can not be determined precisely, eg if a domain controller cannot be reached over the network by LUMAX. In this case, for all accounts only '???' will be displayed.
	Created This is the time of the creation of the objects. For this purpose, the LDAP attribute 'whenCreated' is evaluated.
	Changed This is the time of the most recent change of the objects. For this purpose, the LDAP attribute 'whenChanged' is evaluated.
	Pwd Policy Here the name of Fine-Grained Password Policy is listed, if any of these policies are valid for the user. LUMAX evaluates the policy objects in the system container of the directory for this, together with the group memberships of the user. Fine-Grained Password Policies are only supported on Windows Server 2008 and newer.
	Pwd Last Set This is the time of the most recent change of the account's password. For this purpose, the LDAP attribute 'pwdLastSet' is evaluated.
	Pwd Expiration Date This is the date when the account's password will expire. For this purpose, the LDAP attributes 'pwdLastSet' is evaluated taking into account the domain-wide settings and also any existing password policies with different settings that apply to the account.
	Pwd Expired When the password of an account is already expired, an 'x' will be shown here.
	Pwd Can't Expire If the flag 'Password never expires' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	Pwd Not Needed If the flag 'Password not needed' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	Pwd Can't Change If the flag 'Password cannot be changed' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	AdminSD Is an account subject to the AdminSDHolder security, an 'x' will be shown here. For this purpose, the LDAP attribute 'adminCount' is evaluated. It indicates that the regarding account is member (or was member) of a high privileged group (Administrators, Domain Admins, Account Operators, Backup Operators...).
	Can't Delete If the deletion of an object is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	Can't Rename If the renaming of an object is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.
	Can't Move If the move of an object to another directory container is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated.

If a property of an object can not be read correctly from the LDAP directory for some reason, only '???' is displayed.

You can use the 'Reload' Button

or the <F5> key at all times to refresh the display of the account information. If you press the <CTRL> key concurrently, the entire directory hierarchy structure on the left will be updated.

Directory Logon