list users account locked out in an OU

Hello Scripting guys:
I need your help, I need to list all the users that are locke out in a
special OU, thanks

Gustavo wrote:

> Hello Scripting guys:
> I need your help, I need to list all the users that are locke out in a
> special OU, thanks

The following VBScript program outputs the Distinguished Names of all users
in the domain that are locked out. To restrict the output to the users in
one OU, replace strDNSDomain with the Distinguished Name of the OU in the
line that assigns a value to the variable strBase. That is, replace:

strBase = "<LDAP://" & strDNSDomain & ">"

with something similar to:

strBase = "<LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com>"
=============
Option Explicit

Dim objRootDSE, strDNSDomain, objShell, lngBiasKey, lngBias, k
Dim objDomain, objDuration, lngHigh, lngLow, lngDuration
Dim adoCommand, adoConnection, adoRecordset
Dim strBase, strFilter, strAttributes, strQuery
Dim strUserDN, dtmLockOut
Dim lngSeconds, str64Bit

' Retrieve DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Obtain local Time Zone bias from local machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If
Set objShell = Nothing

' Bind to domain.
Set objDomain = GetObject("LDAP://" & strDNSDomain)

' Retrieve domain lockoutDuration policy in minutes.
Set objDuration = objDomain.lockoutDuration
lngHigh = objDuration.HighPart
lngLow = objDuration.LowPart
If (lngLow < 0) Then
lngHigh = lngHigh + 1
End If
lngDuration = lngHigh * (2^32) + lngLow
lngDuration = -lngDuration/(60 * 10000000)
Set objDomain = Nothing

' Determine lockout time in the past that would just
' have expired. Accounts locked out since this time would
' still be locked out.
dtmLockout = DateAdd("n", -lngDuration, Now())

' Convert to UTC.
dtmLockout = DateAdd("n", lngBias, dtmLockout)

' Find number of seconds since 1/1/1601.
lngSeconds = DateDiff("s", #1/1/1601#, dtmLockout)

' Convert to 100-nanosecond intervals. This is the
' equivalent Integer8 value.
str64Bit = CStr(lngSeconds) & "0000000"

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open = "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire domain.
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on all user objects that are locked out.
strFilter = "(&(objectCategory=person)(objClass=user)(lockoutTime>=" _
& str64Bit & "))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 60
adoCommand.Properties("Cache Results") = False

Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Wscript.Echo "Locked out users:"
Do Until adoRecordset.EOF
strUserDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strUserDN
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

Another method is described in this article:

http://support.microsoft.com/kb/555131

This uses the filter:

(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

This would simplify the code, and would be easier to use with command line
tools (like adfind). You could even filter in ADUC or use a saved query.

However, the lockoutTime attribute for a user that was locked out in the
past, but the domain lockout duration policy has expired, will not have
their lockoutTime attribute reset to 0 until they logon. The above filter
will return all users that were locked out in the past and have not since
logged on. This may be acceptable to you. Otherwise, the script I posted
earlier is more accurate.

Note also, if you calculate the Integer8 value corresponding to the date in
the past after which anyone locked out would still be locked out, as is done
in the script I posted, you could use that value in a filter similar to
above. This could be used with a command line tool like adfind, or in ADUC.
I have a VBScript program that converts date/time values in the current time
zone to the equivalent Integer8 values linked here:

http://www.rlmueller.net/Programs/DateToInteger8.txt

For example, if your domain policy is for accounts to be locked out for 22
hours and the current date/time is 3:30 PM January 28, 2008, the above
program determines that the Integer8 value equivalent to the critical time
5:30 PM January 27, 2008 (in my time zone, which is Central Time Zone of US)
is:

128459502000000000

Thus, a filter for all users currently locked out would be:

(&(objectCategory=person)(objectClass=user)(lockoutTime>=128459502000000000))

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--