Tuesday, October 26, 2010

How to find locked out user accounts VBScript

How to find locked out accounts using VBScript and LDAP:

Const ADS_UF_LOCKOUT = 16

ldapFilter = "(&(sAMAccountType=805306368)(lockoutTime>=1))"

Set rootDSE = GetObject("LDAP://rootDSE")
domainDN = rootDSE.Get("defaultNamingContext")

WScript.Echo "Locked accounts:"
WScript.Echo

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & domainDN & ">" & ldapFilter & ";ADSPath,distinguishedName;subtree")
While Not objectList.EOF
Set user = GetObject(objectList.Fields("ADSPath"))

user.GetInfoEx Array("msDS-User-Account-Control-Computed"), 0
flags = user.Get("msDS-User-Account-Control-Computed")
if (flags and ADS_UF_LOCKOUT) then
WScript.Echo objectList.Fields("distinguishedName")
End if

objectList.MoveNext
Wend

No comments:

Post a Comment