VBScript to find locked out accounts in AD

In this article, I am going write vbscript code to find locked-out Active Directory user accounts and export currently locked-out users to CSV file. Here, we are using two attributes LockoutTime and msDS-User-Account-Control-Computed to find currently locked out user accounts.

Summary:

Find Locked Out Accounts in AD

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: FindLockedoutADUsers.vbs
4. Double-click the vbscript file (or Run this file from command window) to find and list locked-out Active Directory users.
Click to get vbscript source code as a file: Download FindLockedoutADUsers.vbs

' FindLockedoutADUsers.vbs
' Sample VBScript to Find Locked-Out Active Directory users.
' Usage in CMD: C:> CScript C:ScriptsFindLockedoutADUsers.vbs
' -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
   ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
    If (lockoutFlag and Flag_LOCKOUT) Then
      WScript.Echo adoRecordset.Fields("samaccountname").Value &" ---> " _
      & adoRecordset.Fields("distinguishedname").Value
    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Active Directory Locked-out Users listed successfully...

Usage in CMD: In Command prompt, you can use built-in utility CScript to run vbscript file

C:> CScript C:ScriptsFindLockedoutADUsers.vbs 
-or- 
C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt 
VBScript to find locked out accounts in AD

Export Locked Out AD Users to CSV file using VBScript

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”

3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export locked-out Active Directory users into csv file.
Click to get vbscript source code as a file: Download ExportLockedoutADUsers.vbs

' ExportLockedoutADUsers.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file .
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Create CSV file 
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"
Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ 
    ForWriting, True)
' Write selected AD Attributes as CSV columns(first line)
 objCSVFile.Write varAttributes 
 objCSVFile.Writeline ' New Line
' Enumerate the resulting recordset, retrieve values and write into CSV file.
Do Until adoRecordset.EOF   
   ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
    If (lockoutFlag and Flag_LOCKOUT) Then
     objCSVFile.Write adoRecordset.Fields("name").Value & "," 
     objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("mail").Value & ""
     objCSVFile.Writeline  ' New Line
    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
 objCSVFile.Close
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Active Directory Locked-Out User properties are exported successfully as CSV File

Exported CSV File Output of Locked Out AD Users:

VBScript to find locked out accounts in AD

Advertisement

1 thought on “VBScript to find locked out accounts in AD”

Leave a Comment