I've been searching for sometime regarding this. I need to read the login attempts allowed before AD lock a user out. I know it's in a policy on the server but I need to read it on a client machine on the domain.
I have a VBScript that is playing with some WMI and retrieving information close to what I want. It's not enough:
strComputer = "."
strFinalResult = ""
Set objWMIService = GetObject("winmgmts: strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery ("Select * from RSOP_SecuritySettingBoolean")
For Each objItem in colItems
strFinalResult = strFinalResult & "Key Name: " & objItem.KeyName & ", Precedence: " & objItem.Precedence & ", Setting: " & objItem.Setting & vbCrLf
Next
Wscript.Echo strFinalResult
Now, if it is not possible to read the Account lockout policy and it's properties, I can run a small WCF application on the Domain Controller/Global Catalog with special admin-level domain user privileges to fetch the info. I just need to know how to read it with c# code.
Thanks.
This information will be held in the registry of the domain controller in:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockoutThe value you're looking for is
MaxDenials.