Friday, April 25, 2014

who is locked out of their active directory 2003+ accounts

oh microsoft, you kidder. you don't have nice attributes set for locked-out accounts. you torture the helpdesk by having people call them. if this is a crazy way to keep the msce crowd employed, you win.

from a command line, run the following:

cscript.exe //nologo findlockedout.vbs >> thosewhoaregoingtocallyourealsoon.txt
 Const ADS_UF_LOCKOUT = 16  
 ldapFilter = "(&(sAMAccountType=805306368)(lockoutTime>=1))"  
 Set rootDSE = GetObject("LDAP://rootDSE")  
 domainDN = rootDSE.Get("defaultNamingContext")  
 WScript.Echo "Locked accounts:"  
 Set ado = CreateObject("ADODB.Connection")  
 ado.Provider = "ADSDSOObject"  
 ado.Open "ADSearch"   
 Set objectList = ado.Execute("<LDAP://" & domainDN & ">;" & ldapFilter & ";ADSPath,distinguishedName;subtree")  
 While Not objectList.EOF  
   Set user = GetObject(objectList.Fields("ADSPath"))  
   user.GetInfoEx Array("msDS-User-Account-Control-Computed"), 0  
   flags = user.Get("msDS-User-Account-Control-Computed")  
   if (flags and ADS_UF_LOCKOUT) then  
     WScript.Echo objectList.Fields("distinguishedName")  
   End if  
from this fine place with ample explanations:
bonus points:
 @echo on  
 echo %date% %time% > crap.txt  
 cscript //nologo findlockedout.vbs >> crap.txt  
 setlocal EnableDelayedExpansion  
 set "cmd=findstr /R /N "^^" crap.txt | find /C ":""  
 for /f %%a in ('!cmd!') do set number=%%a  
 echo %number% minus three durr >> crap.txt  
Post a Comment