In this article I am going write vbscript code to Find and List Active Directory Locked-Out User Accounts and Export currently Locked-Out User Accounts to CSV file. Here, we are using two attributes LockoutTime and msDS-User-Account-Control-Computed to find currently locked-out users.
Summary
- Find and List Currently Locked-Out AD Users in VBScript
- Export Locked-Out AD Users into CSV file
- Export Locked-Out AD Users from specific OU
- Export Locked-Out AD Users into CSV file by dynamic CSV path
VBScript to Find and List currently Locked-Out AD Users
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: FindLockedoutADUsers.vbs
4. Double-click the vbscript file (or Run this file from command window) to find and list Locked-Out Active Directory users.
Usage in CMD: In Command prompt, you can use built-in utility CScript to run vbscript file
C:> CScript C:ScriptsFindLockedoutADUsers.vbs -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
Click to get vbscript source code as a file Download FindLockedoutADUsers.vbs
' FindLockedoutADUsers.vbs
' Sample VBScript to Find and List Locked-Out Active Directory users.
' Author: https://www.morgantechspace.com/
' Usage in CMD: C:> CScript C:ScriptsFindLockedoutADUsers.vbs
' -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
' ------------------------------------------------------'
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>"
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
' in the msDS-User-Account-Control-Computed attribute
lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
If (lockoutFlag and Flag_LOCKOUT) Then
WScript.Echo adoRecordset.Fields("samaccountname").Value &" ---> " _
& adoRecordset.Fields("distinguishedname").Value
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Active Directory Locked-out Users listed successfully...
Export Locked-Out AD Users to CSV file using VBScript
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export Locked-Out Active Directory users into csv file.
Click to get vbscript source code as a file Download ExportLockedoutADUsers.vbs
' ExportLockedoutADUsers.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file .
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------'
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>"
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Create CSV file
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"
Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _
ForWriting, True)
' Write selected AD Attributes as CSV columns(first line)
objCSVFile.Write varAttributes
objCSVFile.Writeline ' New Line
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and write into CSV file.
' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
' in the msDS-User-Account-Control-Computed attribute
lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
If (lockoutFlag and Flag_LOCKOUT) Then
objCSVFile.Write adoRecordset.Fields("name").Value & ","
objCSVFile.Write adoRecordset.Fields("samaccountname").Value & ","
objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & ","
objCSVFile.Write adoRecordset.Fields("mail").Value & ""
objCSVFile.Writeline ' New Line
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
objCSVFile.Close
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Active Directory Locked-Out User properties are exported successfully as CSV File
Export Locked-Out AD Users From Specific OU to CSV using VBScript
1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Change the value for ‘varBaseDN’ into your own OU’s DN .
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsersFromOU.vbs
4. Double-click the vbscript file (or Run this file from command window) to export Locked-Out AD users into csv file.
Click to get vbscript source code as a file Download ExportLockedoutADUsersFromOU.vbs
' ExportLockedoutADUsersFromOU.vbs
' Sample VBScript to Export Locked-out AD users From Specific OU into CSV file .
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------'
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' varBaseDN is the OU DN for AD Serach Scope, you can give your own OU's Distinguished Name here.
varBaseDN = "<LDAP://OU=London,DC=Work2008,DC=Local>"
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Create CSV file
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"
Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _
ForWriting, True)
' Write selected AD Attributes as CSV columns(first line)
objCSVFile.Write varAttributes
objCSVFile.Writeline ' New Line
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and write into CSV file.
' Ensure the user is still in locked out state by checking UF_LOCKOUT flag
' in the msDS-User-Account-Control-Computed attribute
lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
If (lockoutFlag and Flag_LOCKOUT) Then
objCSVFile.Write adoRecordset.Fields("name").Value & ","
objCSVFile.Write adoRecordset.Fields("samaccountname").Value & ","
objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & ","
objCSVFile.Write adoRecordset.Fields("mail").Value & ""
objCSVFile.Writeline ' New Line
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
objCSVFile.Close
' close ado connections.
adoRecordset.Close
adoConnection.Close
' AD Locked-Out Users properties are exported successfully as CSV File
Export Locked-Out AD users to CSV file by dynamic CSV path using VBScript
1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Save the file with a .vbs extension, for example: ExportLockedoutADUsersbyDynamicPath.vbs
3. Double-click the vbscript file (or Run this file from command window) to export Locked-out AD users.
4. Give the CSV file path to save locked out user attributes and click OK to proceed.
Click to get vbscript code as a file Download ExportLockedoutADUsersbyDynamicPath.vbs
' ExportLockedoutADUsersbyDynamicPath.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file
' by dynamically asking CSV file path from User.
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------'
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim csvFilePath
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Asks CSV File path from user to save new file.
Do
csvFilePath = InputBox ("Please enter CSV file path.- Ex: C:ADUsers.csv")
If csvFilePath= "" then
Msgbox "No file path entered"
end if
Loop Until csvFilePath <> ""
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>"
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Create CSV file
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objCSVFile = objFSO.CreateTextFile(csvFilePath , _
ForWriting, True)
' Write selected AD Attributes as CSV columns(first line)
objCSVFile.Write varAttributes
objCSVFile.Writeline ' New Line
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values and write into CSV file.
' Ensure the user is still in locked out state by checking UF_LOCKOUT flag
' in the msDS-User-Account-Control-Computed attribute
lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
If (lockoutFlag and Flag_LOCKOUT) Then
objCSVFile.Write adoRecordset.Fields("name").Value & ","
objCSVFile.Write adoRecordset.Fields("samaccountname").Value & ","
objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & ","
objCSVFile.Write adoRecordset.Fields("mail").Value & ""
objCSVFile.Writeline ' New Line
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
objCSVFile.Close
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Locked-Out AD User properties are exported successfully as CSV File
Exported CSV File Output of Locked-Out AD Users:
Advertisement