Results 1 to 3 of 3

Thread: list users account locked out in an OU

  1. #1
    Gustavo Guest

    list users account locked out in an OU

    Hello Scripting guys:
    I need your help, I need to list all the users that are locke out in a
    special OU, thanks

  2. #2
    Richard Mueller [MVP] Guest

    Re: list users account locked out in an OU

    Gustavo wrote:

    > Hello Scripting guys:
    > I need your help, I need to list all the users that are locke out in a
    > special OU, thanks


    The following VBScript program outputs the Distinguished Names of all users
    in the domain that are locked out. To restrict the output to the users in
    one OU, replace strDNSDomain with the Distinguished Name of the OU in the
    line that assigns a value to the variable strBase. That is, replace:

    strBase = "<LDAP://" & strDNSDomain & ">"

    with something similar to:

    strBase = "<LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com>"
    =============
    Option Explicit

    Dim objRootDSE, strDNSDomain, objShell, lngBiasKey, lngBias, k
    Dim objDomain, objDuration, lngHigh, lngLow, lngDuration
    Dim adoCommand, adoConnection, adoRecordset
    Dim strBase, strFilter, strAttributes, strQuery
    Dim strUserDN, dtmLockOut
    Dim lngSeconds, str64Bit

    ' Retrieve DNS domain name.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Obtain local Time Zone bias from local machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
    & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
    lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
    End If
    Set objShell = Nothing

    ' Bind to domain.
    Set objDomain = GetObject("LDAP://" & strDNSDomain)

    ' Retrieve domain lockoutDuration policy in minutes.
    Set objDuration = objDomain.lockoutDuration
    lngHigh = objDuration.HighPart
    lngLow = objDuration.LowPart
    If (lngLow < 0) Then
    lngHigh = lngHigh + 1
    End If
    lngDuration = lngHigh * (2^32) + lngLow
    lngDuration = -lngDuration/(60 * 10000000)
    Set objDomain = Nothing

    ' Determine lockout time in the past that would just
    ' have expired. Accounts locked out since this time would
    ' still be locked out.
    dtmLockout = DateAdd("n", -lngDuration, Now())

    ' Convert to UTC.
    dtmLockout = DateAdd("n", lngBias, dtmLockout)

    ' Find number of seconds since 1/1/1601.
    lngSeconds = DateDiff("s", #1/1/1601#, dtmLockout)

    ' Convert to 100-nanosecond intervals. This is the
    ' equivalent Integer8 value.
    str64Bit = CStr(lngSeconds) & "0000000"

    ' Use ADO to search Active Directory.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open = "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection

    ' Search entire domain.
    strBase = "<LDAP://" & strDNSDomain & ">"
    ' Filter on all user objects that are locked out.
    strFilter = "(&(objectCategory=person)(objClass=user)(lockoutTime>=" _
    & str64Bit & "))"
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

    ' Run the query.
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 60
    adoCommand.Properties("Cache Results") = False

    Set adoRecordset = adoCommand.Execute

    ' Enumerate the resulting recordset.
    Wscript.Echo "Locked out users:"
    Do Until adoRecordset.EOF
    strUserDN = adoRecordset.Fields("distinguishedName").Value
    Wscript.Echo strUserDN
    adoRecordset.MoveNext
    Loop
    adoRecordset.Close
    adoConnection.Close

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



  3. #3
    Richard Mueller [MVP] Guest

    Re: list users account locked out in an OU

    Another method is described in this article:

    http://support.microsoft.com/kb/555131

    This uses the filter:

    (&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

    This would simplify the code, and would be easier to use with command line
    tools (like adfind). You could even filter in ADUC or use a saved query.

    However, the lockoutTime attribute for a user that was locked out in the
    past, but the domain lockout duration policy has expired, will not have
    their lockoutTime attribute reset to 0 until they logon. The above filter
    will return all users that were locked out in the past and have not since
    logged on. This may be acceptable to you. Otherwise, the script I posted
    earlier is more accurate.

    Note also, if you calculate the Integer8 value corresponding to the date in
    the past after which anyone locked out would still be locked out, as is done
    in the script I posted, you could use that value in a filter similar to
    above. This could be used with a command line tool like adfind, or in ADUC.
    I have a VBScript program that converts date/time values in the current time
    zone to the equivalent Integer8 values linked here:

    http://www.rlmueller.net/Programs/DateToInteger8.txt

    For example, if your domain policy is for accounts to be locked out for 22
    hours and the current date/time is 3:30 PM January 28, 2008, the above
    program determines that the Integer8 value equivalent to the critical time
    5:30 PM January 27, 2008 (in my time zone, which is Central Time Zone of US)
    is:

    128459502000000000

    Thus, a filter for all users currently locked out would be:

    (&(objectCategory=person)(objectClass=user)(lockoutTime>=128459502000000000))

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



Similar Threads

  1. Need Urgnet Help - AD users locked out automatically.
    By naveed_ali in forum Operating Systems
    Replies: 1
    Last Post: 28-02-2010, 02:41 AM
  2. Urgent: All AD users are locked out
    By Peach in forum Active Directory
    Replies: 3
    Last Post: 14-02-2009, 02:16 PM
  3. Account is locked out...
    By antogod in forum Operating Systems
    Replies: 4
    Last Post: 02-02-2009, 04:15 PM
  4. All users locked out
    By John Renkar in forum Active Directory
    Replies: 5
    Last Post: 07-01-2009, 07:08 PM
  5. Exclude Admin account from Account Locked out policy
    By Manik in forum Active Directory
    Replies: 3
    Last Post: 18-12-2008, 01:07 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,653,612,476.60215 seconds with 17 queries