General discussion

  • Creator
    Topic
  • #2190882

    Quickly List Locked Out Domain Accounts

    Locked

    by paul_almon ·

    My company has approximately 300 domain user accounts. Rather than wait for everyone with a locked-out account to submit a HelpDesk request, we would prefer to just go through the all the accounts first thing in the morning and re-enable those that need it. However, this can be very tedious and time consuming. How can we quickly query and list all locked out accounts so we can go right to them?

All Comments

  • Author
    Replies
    • #3115019

      Reply To: Quickly List Locked Out Domain Accounts

      by allthegoodnamesweregone ·

      In reply to Quickly List Locked Out Domain Accounts

      from a security standpoint it doesn’t make much sense. if all you’re going to do with a locked account is unlock it with no questions asked, why have a lockout policy set in the first place?

      anyway, with that said, this LDAP query will get what you want.

      (&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

    • #3115015

      Reply To: Quickly List Locked Out Domain Accounts

      by blowtoad ·

      In reply to Quickly List Locked Out Domain Accounts

      Here is a vb script that will list all disabled (aka locked) accounts.

      Save it as ListDisabledAccts.vbs

      running it w/o arguments will display help.
      running it with your domain name in the fq ldap form (as in the example in the help) will list the locked accounts.

      • #3115012

        Reply To: Quickly List Locked Out Domain Accounts

        by blowtoad ·

        In reply to Reply To: Quickly List Locked Out Domain Accounts

        ‘* ListDisabledAccts.vbs
        ‘* Lists locked (disabled) accounts in a domain
        ‘* BlowToad
        ‘* Mostly taken from Microsoft Hey Scripting Guy article.
        ‘* http://www.microsoft.com/technet/scriptcenter/resources/qanda/may05/hey0512.mspx
        ‘* Modified to make it more friendly to my needs
        Option Explicit
        function OutputSyntax()
        On Error Resume Next
        Dim strMsg
        strMsg = strMsg & vbCrLf _
        & “ListDisabledAccts.vbs” & vbCrLf & “Lists accounts that are disabled ” & vbCrLf & vbCrLf _
        & “Usage: CSCRIPT ListDisabledAccts.vbs ” & “[ domain_name]” & vbCrLf & vbCRLF _
        & “Where: ” & Chr(34) & “domain_name” & Chr(34) _
        & ” is the name of the domain (or portion of a domain) to scan” & vbCRLF _
        & “domain_name example: ” & Chr(34) & “ou=accounting,ou=departments,dc=techrepublic,dc=com” & Chr(34) & vbCrLf & vbCrLf
        WScript.Echo(strMsg)
        WScript.Quit(1)
        end function
        On Error Resume Next
        Dim strDomainName
        Select Case WScript.Arguments.Count
        Case 0
        OutputSyntax()
        Case 1
        strDomainName = Ucase(Wscript.Arguments(0))
        ‘ check for ? in argument
        if instr(strDomainName, “?”) > 0 then OutputSyntax()
        Dim oConnection
        Dim oCmd
        Dim oRecords
        Set oConnection = CreateObject(“ADODB.Connection”)
        Set oCmd = CreateObject(“ADODB.Command”)
        oConnection.Provider = “ADsDSOObject”
        oConnection.Open(“Active Directory Provider”)
        Set oCmd.ActiveConnection = oConnection
        oCmd.Properties(“Page Size”) = 1000
        oCmd.CommandText = “;(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2));Name”
        Set oRecords = oCmd.Execute
        oRecords.MoveFirst
        Do Until oRecords.EOF
        Wscript.Echo oRecords.Fields(“Name”).Value
        oRecords.MoveNext
        Loop
        Case Else
        OutputSyntax()
        End Select

      • #3115007

        Reply To: Quickly List Locked Out Domain Accounts

        by blowtoad ·

        In reply to Reply To: Quickly List Locked Out Domain Accounts

        The web page makes it look ugly and there are no comments because TR forces limit of 2000 chars per posting. It SHOULD still work though.

        AllGoodNamesTaken is right about this not making for strong security. But sometimes the CEO doesnt care, he just gets upset about his account being locked all the time.

        The only half way reasonable situation that I can think of that you might want this is that lots of your accounts get locked overnight due to excessive bad password attempts from the outside. If that is the case, this is not the best solution. You need a firewall and you need to block it at your perimeter. Your users can VPN in if needed.

        If the bad attempts are internal, you better find the the bad guy and fill his or her office with fire ants.

Viewing 1 reply thread