Summary
- Find and List Currently Locked-Out AD Users in VBScript
- Export Locked-Out AD Users into CSV file
- Export Locked-Out AD Users from specific OU
- Export Locked-Out AD Users into CSV file by dynamic CSV path
VBScript to Find and List currently Locked-Out AD Users
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: FindLockedoutADUsers.vbs
4. Double-click the vbscript file (or Run this file from command window) to find and list Locked-Out Active Directory users.
Usage in CMD: In Command prompt, you can use built-in utility CScript to run vbscript file
C:> CScript C:ScriptsFindLockedoutADUsers.vbs -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
Click to get vbscript source code as a file Download FindLockedoutADUsers.vbs
' FindLockedoutADUsers.vbs ' Sample VBScript to Find and List Locked-Out Active Directory users. ' Author: https://www.morgantechspace.com/ ' Usage in CMD: C:> CScript C:ScriptsFindLockedoutADUsers.vbs ' -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt ' ------------------------------------------------------' Option Explicit ' Initialize required variables. Dim adoCommand, adoConnection Dim varBaseDN, varFilter, varAttributes Dim objRootDSE, varDNSDomain, strQuery, adoRecordset Dim lockoutFlag Const Flag_LOCKOUT = 16 ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") varDNSDomain = objRootDSE.Get("defaultNamingContext") varBaseDN = "<LDAP://" & varDNSDomain & ">" ' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext" ' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" ' Filter to list locked-out user objects. varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))" ' Comma delimited list of attribute values to retrieve. varAttributes = "samaccountname,distinguishedname" ' Construct the LDAP syntax query. strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 1000 adoCommand.Properties("Timeout") = 20 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag ' in the msDS-User-Account-Control-Computed attribute lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value If (lockoutFlag and Flag_LOCKOUT) Then WScript.Echo adoRecordset.Fields("samaccountname").Value &" ---> " _ & adoRecordset.Fields("distinguishedname").Value End If ' Move to the next record in the recordset. adoRecordset.MoveNext Loop ' close ado connections. adoRecordset.Close adoConnection.Close ' Active Directory Locked-out Users listed successfully...
Export Locked-Out AD Users to CSV file using VBScript
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export Locked-Out Active Directory users into csv file.
Click to get vbscript source code as a file Download ExportLockedoutADUsers.vbs
' ExportLockedoutADUsers.vbs ' Sample VBScript to Find and Export Locked-out AD users into CSV file . ' Author: https://www.morgantechspace.com/ ' ------------------------------------------------------' Option Explicit ' Initialize required variables. Dim adoCommand, adoConnection Dim varBaseDN, varFilter, varAttributes Dim objRootDSE, varDNSDomain, strQuery, adoRecordset Dim objFSO, objCSVFile Dim lockoutFlag Const Flag_LOCKOUT = 16 ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") varDNSDomain = objRootDSE.Get("defaultNamingContext") varBaseDN = "<LDAP://" & varDNSDomain & ">" ' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext" ' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" ' Filter to list locked-out user objects. varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))" ' Comma delimited list of attribute values to retrieve. varAttributes = "name,samaccountname,distinguishedname,mail" ' Construct the LDAP syntax query. strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 1000 adoCommand.Properties("Timeout") = 20 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Create CSV file Const ForWriting = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") ' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file ' where you placed and execute this VB Script file. You can give your own file path ' like "C:\UsersAdministratorDesktopADLockedUsers.csv" Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ ForWriting, True) ' Write selected AD Attributes as CSV columns(first line) objCSVFile.Write varAttributes objCSVFile.Writeline ' New Line ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values and write into CSV file. ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag ' in the msDS-User-Account-Control-Computed attribute lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value If (lockoutFlag and Flag_LOCKOUT) Then objCSVFile.Write adoRecordset.Fields("name").Value & "," objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," objCSVFile.Write adoRecordset.Fields("mail").Value & "" objCSVFile.Writeline ' New Line End If ' Move to the next record in the recordset. adoRecordset.MoveNext Loop objCSVFile.Close ' close ado connections. adoRecordset.Close adoConnection.Close ' Active Directory Locked-Out User properties are exported successfully as CSV File
Export Locked-Out AD Users From Specific OU to CSV using VBScript
1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Change the value for ‘varBaseDN’ into your own OU’s DN .
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsersFromOU.vbs
4. Double-click the vbscript file (or Run this file from command window) to export Locked-Out AD users into csv file.
Click to get vbscript source code as a file Download ExportLockedoutADUsersFromOU.vbs
' ExportLockedoutADUsersFromOU.vbs ' Sample VBScript to Export Locked-out AD users From Specific OU into CSV file . ' Author: https://www.morgantechspace.com/ ' ------------------------------------------------------' Option Explicit ' Initialize required variables. Dim adoCommand, adoConnection Dim varBaseDN, varFilter, varAttributes Dim strQuery, adoRecordset Dim objFSO, objCSVFile Dim lockoutFlag Const Flag_LOCKOUT = 16 ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' varBaseDN is the OU DN for AD Serach Scope, you can give your own OU's Distinguished Name here. varBaseDN = "<LDAP://OU=London,DC=Work2008,DC=Local>" ' Filter to list locked-out user objects. varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))" ' Comma delimited list of attribute values to retrieve. varAttributes = "name,samaccountname,distinguishedname,mail" ' Construct the LDAP syntax query. strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 1000 adoCommand.Properties("Timeout") = 20 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Create CSV file Const ForWriting = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") ' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file ' where you placed and execute this VB Script file. You can give your own file path ' like "C:\UsersAdministratorDesktopADLockedUsers.csv" Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ ForWriting, True) ' Write selected AD Attributes as CSV columns(first line) objCSVFile.Write varAttributes objCSVFile.Writeline ' New Line ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values and write into CSV file. ' Ensure the user is still in locked out state by checking UF_LOCKOUT flag ' in the msDS-User-Account-Control-Computed attribute lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value If (lockoutFlag and Flag_LOCKOUT) Then objCSVFile.Write adoRecordset.Fields("name").Value & "," objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," objCSVFile.Write adoRecordset.Fields("mail").Value & "" objCSVFile.Writeline ' New Line End If ' Move to the next record in the recordset. adoRecordset.MoveNext Loop objCSVFile.Close ' close ado connections. adoRecordset.Close adoConnection.Close ' AD Locked-Out Users properties are exported successfully as CSV File
Export Locked-Out AD users to CSV file by dynamic CSV path using VBScript
1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Save the file with a .vbs extension, for example: ExportLockedoutADUsersbyDynamicPath.vbs
3. Double-click the vbscript file (or Run this file from command window) to export Locked-out AD users.
4. Give the CSV file path to save locked out user attributes and click OK to proceed.
Click to get vbscript code as a file Download ExportLockedoutADUsersbyDynamicPath.vbs
' ExportLockedoutADUsersbyDynamicPath.vbs ' Sample VBScript to Find and Export Locked-out AD users into CSV file ' by dynamically asking CSV file path from User. ' Author: https://www.morgantechspace.com/ ' ------------------------------------------------------' Option Explicit ' Initialize required variables. Dim adoCommand, adoConnection Dim varBaseDN, varFilter, varAttributes Dim objRootDSE, varDNSDomain, strQuery, adoRecordset Dim objFSO, objCSVFile Dim csvFilePath Dim lockoutFlag Const Flag_LOCKOUT = 16 ' Asks CSV File path from user to save new file. Do csvFilePath = InputBox ("Please enter CSV file path.- Ex: C:ADUsers.csv") If csvFilePath= "" then Msgbox "No file path entered" end if Loop Until csvFilePath <> "" ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") varDNSDomain = objRootDSE.Get("defaultNamingContext") varBaseDN = "<LDAP://" & varDNSDomain & ">" ' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext" ' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" ' Filter to list locked-out user objects. varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))" ' Comma delimited list of attribute values to retrieve. varAttributes = "name,samaccountname,distinguishedname,mail" ' Construct the LDAP syntax query. strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 1000 adoCommand.Properties("Timeout") = 20 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Create CSV file Const ForWriting = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") Set objCSVFile = objFSO.CreateTextFile(csvFilePath , _ ForWriting, True) ' Write selected AD Attributes as CSV columns(first line) objCSVFile.Write varAttributes objCSVFile.Writeline ' New Line ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values and write into CSV file. ' Ensure the user is still in locked out state by checking UF_LOCKOUT flag ' in the msDS-User-Account-Control-Computed attribute lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value If (lockoutFlag and Flag_LOCKOUT) Then objCSVFile.Write adoRecordset.Fields("name").Value & "," objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," objCSVFile.Write adoRecordset.Fields("mail").Value & "" objCSVFile.Writeline ' New Line End If ' Move to the next record in the recordset. adoRecordset.MoveNext Loop objCSVFile.Close ' close ado connections. adoRecordset.Close adoConnection.Close ' Locked-Out AD User properties are exported successfully as CSV File
Exported CSV File Output of Locked-Out AD Users: