General discussion


Quickly List Locked Out Domain Accounts

By paul_almon ·
My company has approximately 300 domain user accounts. Rather than wait for everyone with a locked-out account to submit a HelpDesk request, we would prefer to just go through the all the accounts first thing in the morning and re-enable those that need it. However, this can be very tedious and time consuming. How can we quickly query and list all locked out accounts so we can go right to them?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

from a security standpoint it doesn't make much sense. if all you're going to do with a locked account is unlock it with no questions asked, why have a lockout policy set in the first place?

anyway, with that said, this LDAP query will get what you want.


Collapse -

by Blowtoad In reply to Quickly List Locked Out D ...

Here is a vb script that will list all disabled (aka locked) accounts.

Save it as ListDisabledAccts.vbs

running it w/o arguments will display help.
running it with your domain name in the fq ldap form (as in the example in the help) will list the locked accounts.

Collapse -

by Blowtoad In reply to

'* ListDisabledAccts.vbs
'* Lists locked (disabled) accounts in a domain
'* BlowToad
'* Mostly taken from Microsoft Hey Scripting Guy article.
'* Modified to make it more friendly to my needs
Option Explicit
function OutputSyntax()
On Error Resume Next
Dim strMsg
strMsg = strMsg & vbCrLf _
& "ListDisabledAccts.vbs" & vbCrLf & "Lists accounts that are disabled " & vbCrLf & vbCrLf _
& "Usage: CSCRIPT ListDisabledAccts.vbs " & "[ domain_name]" & vbCrLf & vbCRLF _
& "Where: " & Chr(34) & "domain_name" & Chr(34) _
& " is the name of the domain (or portion of a domain) to scan" & vbCRLF _
& "domain_name example: " & Chr(34) & "ou=accounting,ou=departments,dc=techrepublic,dc=com" & Chr(34) & vbCrLf & vbCrLf
end function
On Error Resume Next
Dim strDomainName
Select Case WScript.Arguments.Count
Case 0
Case 1
strDomainName = Ucase(Wscript.Arguments(0))
' check for ? in argument
if instr(strDomainName, "?") > 0 then OutputSyntax()
Dim oConnection
Dim oCmd
Dim oRecords
Set oConnection = CreateObject("ADODB.Connection")
Set oCmd = CreateObject("ADODB.Command")
oConnection.Provider = "ADsDSOObject"
oConnection.Open("Active Directory Provider")
Set oCmd.ActiveConnection = oConnection
oCmd.Properties("Page Size") = 1000
oCmd.CommandText = "<LDAP://" & strDomainName &">&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2));Name"
Set oRecords = oCmd.Execute
Do Until oRecords.EOF
Wscript.Echo oRecords.Fields("Name").Value
Case Else
End Select

Collapse -

by Blowtoad In reply to

The web page makes it look ugly and there are no comments because TR forces limit of 2000 chars per posting. It SHOULD still work though.

AllGoodNamesTaken is right about this not making for strong security. But sometimes the CEO doesnt care, he just gets upset about his account being locked all the time.

The only half way reasonable situation that I can think of that you might want this is that lots of your accounts get locked overnight due to excessive bad password attempts from the outside. If that is the case, this is not the best solution. You need a firewall and you need to block it at your perimeter. Your users can VPN in if needed.

If the bad attempts are internal, you better find the the bad guy and fill his or her office with fire ants.

Related Discussions

Related Forums