KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Number of Locked Users in AD

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Library
View previous topic :: View next topic  
Author Message
Kris



Joined: 12 May 2010
Posts: 375

PostPosted: Tue Dec 17, 2013 10:59 am    Post subject: Number of Locked Users in AD Reply with quote

The following vBscript will give you the number of locked users on your domain.
You can create a test around it to monitor issues with... well... locking accounts
It's quick & dirty, please modify to your situation.
Code:
Set Domain = GetObject("WinNT://<YourDomain>")
Domain.Filter = Array("User")
    For Each UserObj In Domain
        If UserObj.IsAccountLocked = True Then
            Counter = Counter + 1
        End If
    Next
WScript.StdOut.Write "ScriptRes:Ok:" & Counter
Back to top
View user's profile Send private message
SplanK



Joined: 21 Nov 2007
Posts: 38

PostPosted: Tue Oct 21, 2014 7:33 am    Post subject: Reply with quote

I have used this and created a Active script.

It reports good if there are 0 lock outs.
It reports bad if there are >0 lock outs as well as the accounts locked out.

Code:

Option Explicit
const statusAlive       = "Host is alive:"
const statusDead        = "No answer:"
const statusUnknown     = "Unknown:"
const statusNotResolved = "Unknown host:"
const statusOk          = "Ok:"
const statusBad         = "Bad:"
const statusBadContents = "Bad contents:"

Call PerformTest()

FUNCTION PerformTest()
   dim Domain, Counter, UserObj, oLockedoutUser

   Set Domain = GetObject("WinNT://DOMAINNAME")
   Counter = 0
   Domain.Filter = Array("User")
   
   For Each UserObj In Domain
      If UserObj.IsAccountLocked = True Then
         
         If Counter = 0 Then
            oLockedoutUser = UserObj.Name
         else
            oLockedoutUser = oLockedoutUser & " / " & UserObj.Name
         end If
         
         Counter = Counter + 1
         
      End If
   Next
      
   If Counter > 0 Then
      PerformTest = statusBad+"Locked Out users: " & Counter & " -> " & oLockedoutUser
   Else
      PerformTest = statusOk+"Locked Out users: " & Counter
   End If
End Function
Back to top
View user's profile Send private message
Kris



Joined: 12 May 2010
Posts: 375

PostPosted: Mon Nov 17, 2014 10:10 am    Post subject: Reply with quote

Good job SplanK!

I had that one on my ToDo list.
You made it easy

Thanks!
Back to top
View user's profile Send private message
peterjwest



Joined: 28 Jul 2008
Posts: 17

PostPosted: Fri Jan 09, 2015 5:12 am    Post subject: Reply with quote

Hi,

Nice work - and big thanks to previous posters as the previous scripts gave me a little inspiration.

The only problem I had with the previous versions of the script was that it took a long time to run for me. This is because it enumerates every object in the domain and that can take time.

This lead me to making a modified version which uses an LDAP query to only pull locked accounts which are also enabled. I've included the script below.

The script takes a single mandatory parameter which is the domain to check in DNS format (i.e. contoso.com, uk.contoso.com etc.). If you wish you can also save the script as a regular .vbs file and adding /view onto the end of the parameters will also show the list of locked accounts.

Example syntax:
Just show the count: cScript.exe ScriptName.vbs contoso.com
Show the list too: cScript.Exe ScriptName.vbs contoso.com /view

Code:
Option Explicit

'Define required variables
Dim objConnection
Dim iX
Dim objCommand
Dim objRecordSet
Dim sRetVal
Dim arrAttribute
Dim iDaysSinceDisabled
Dim iCount
Dim sDomain
Dim bListAccounts
Dim arrAccounts

'Define constants
const statusAlive       = "scriptRes:Host is alive:"
const statusDead        = "scriptRes:No answer:"
const statusUnknown     = "scriptRes:Unknown:"
const statusNotResolved = "scriptRes:Unknown host:"
const statusOk          = "scriptRes:Ok:"
const statusBad         = "scriptRes:Bad:"
const statusBadContents = "scriptRes:Bad contents:"

'Initialise the array
Redim arrAccounts(2,0)

'Get the parameters
sDomain = wScript.Arguments(0)
sDomain = GetNCFromDNSDomain(sDomain)

'If there are more parameters then...
If wScript.Arguments.Count >=2 Then
   
   'If the second argument is /view
   If LCase(wScript.Arguments(1)) = "/view" Then bListAccounts = True
End If
   
'Define required constants
Const ADS_SCOPE_SUBTREE = 2
Const ADS_CHASE_REFERRALS_ALWAYS = &H60

'Make the objects and configure them
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

'Define the query and load into the command object
Set objCommand.ActiveConnection = objConnection

'Query the appropriate OU for objects that are still disabled; this is deliberate to stop accounts which have been re-enabled but not moved from being deleted
objCommand.CommandText = "<LDAP://" & sDomain & ">;(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1)(!userAccountControl:1.2.840.113556.1.4.803:=2));samAccountName,Name;Subtree"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Chase Referrals") =&H60

'Run the query
Set objRecordSet = objCommand.Execute

'Loop through the results
Do While Not objRecordSet.EOF
      
   'If the option to list was given then load values into the array
   If bListAccounts Then
      arrAccounts(0,UBound(arrAccounts,2)) = objRecordset.Fields(0)
      arrAccounts(1,UBound(arrAccounts,2)) = objRecordset.Fields(1)
      arrAccounts(2,UBound(arrAccounts,2)) = objRecordset.Fields(2)
      Redim Preserve arrAccounts(2,UBound(arrAccounts,2)+1)
   End If
   
   'Increment the counter
   iCount = iCount+ 1
   
   'Move to the next record
   objRecordset.MoveNext
Loop

'Display the results
wScript.StdOut.Write statusOk & iCount

'If the option to view the locked accounts was given then...
If bListAccounts Then
   wScript.Echo ""
   wScript.Echo "SAM Account Name         Name"
   For iX=0 To UBound(arrAccounts,2)
      wScript.Echo PadString(arrAccounts(0,iX),25) & arrAccounts(1,iX)
   Next
End If

'End the script
wScript.Quit

Function GetNCFromDNSDomain(sDNSDomain)

   'Define required variables
   Dim sRetVal
   Dim arrParts
   Dim objItem
   
   'If there are periods in the string then...
   If Instr(sDNSDomain,".") > 0 Then
      
      'Split by the full stops
      arrParts = Split(sDNSDomain,".")
      
      'Loop through and build the string
      For Each objItem In arrParts
         sRetVal = sRetVal & "dc=" & objItem & ","
      Next
      
      'Strip the final ,
      sRetVal = Left(sRetVal,Len(sRetVal)-1)
   
   End If
   
   'Return the value
   GetNCFromDNSDomain = sRetVal
         
End Function

Function PadString(sString,iLen)

   'Define required variables
   Dim sRetVal
   
   'If the length is less than needed then pad with spaces
   If Len(sString) < iLen Then
      sRetVal = sString & String(iLen-Len(sString)," ")
   Else
      'If it's too long then chop it
      If Len(sString) > iLen Then
         sRetVal = Left(sString,iLen)
      Else
         'Otherwise just pass it back
         sRetVal = sString
      End If
   End If
   
   'Return the value
   PadString = sRetVal
   
End Function
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Library All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index