Find and Export Locked-Out AD Users with VBScript

In this article I am going write vbscript code to Find and List Active Directory Locked-Out User Accounts and Export currently Locked-Out User Accounts to CSV file. Here, we are using two attributes LockoutTime and msDS-User-Account-Control-Computed to find currently locked-out users.

Summary

VBScript to Find and List currently Locked-Out AD Users

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Save the file with a .vbs extension, for example: FindLockedoutADUsers.vbs
4. Double-click the vbscript file (or Run this file from command window) to find and list Locked-Out Active Directory users.

Usage in CMD: In Command prompt, you can use built-in utility CScript to run vbscript file

C:> CScript C:ScriptsFindLockedoutADUsers.vbs 
-or- 
C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
VBScript to Find and List Locked Out AD Users

 Click to get vbscript source code as a file Download FindLockedoutADUsers.vbs

' FindLockedoutADUsers.vbs
' Sample VBScript to Find and List Locked-Out Active Directory users.
' Author: https://www.morgantechspace.com/
' Usage in CMD: C:> CScript C:ScriptsFindLockedoutADUsers.vbs
' -or- C:>CScript C:ScriptsFindLockedoutADUsers.vbs > C:ScriptsLockoutUsers.txt
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 

' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "samaccountname,distinguishedname"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

   ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute
      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value

    If (lockoutFlag and Flag_LOCKOUT) Then

      WScript.Echo adoRecordset.Fields("samaccountname").Value &" ---> " _
      & adoRecordset.Fields("distinguishedname").Value

    End If

    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

' close ado connections.
adoRecordset.Close
adoConnection.Close

' Active Directory Locked-out Users listed successfully...

Export Locked-Out AD Users to CSV file using VBScript

1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”

3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export Locked-Out Active Directory users into csv file.

 Click to get vbscript source code as a file Download ExportLockedoutADUsers.vbs

' ExportLockedoutADUsers.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file .
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 

' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Create CSV file 
Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")

' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"

Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ 
    ForWriting, True)

' Write selected AD Attributes as CSV columns(first line)
 objCSVFile.Write varAttributes 

 objCSVFile.Writeline ' New Line

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

   ' Retrieve values and write into CSV file.

' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute
      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value

    If (lockoutFlag and Flag_LOCKOUT) Then

     objCSVFile.Write adoRecordset.Fields("name").Value & "," 
     objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("mail").Value & ""
     objCSVFile.Writeline  ' New Line

    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

 objCSVFile.Close

' close ado connections.
adoRecordset.Close
adoConnection.Close

' Active Directory Locked-Out User properties are exported successfully as CSV File

Export Locked-Out AD Users From Specific OU to CSV using VBScript

1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Change the value for ‘varBaseDN’ into your own OU’s DN .
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsersFromOU.vbs
4. Double-click the vbscript file (or Run this file from command window) to export Locked-Out AD users into csv file.

 Click to get vbscript source code as a file Download ExportLockedoutADUsersFromOU.vbs

' ExportLockedoutADUsersFromOU.vbs
' Sample VBScript to Export Locked-out AD users From Specific OU into CSV file .
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' varBaseDN is the OU DN for AD Serach Scope, you can give your own OU's Distinguished Name here.
varBaseDN = "<LDAP://OU=London,DC=Work2008,DC=Local>"

' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Create CSV file 
Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")

' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"

Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ 
    ForWriting, True)

' Write selected AD Attributes as CSV columns(first line)
 objCSVFile.Write varAttributes 

 objCSVFile.Writeline ' New Line

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

   ' Retrieve values and write into CSV file.

' Ensure the user is still in locked out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute
      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value

    If (lockoutFlag and Flag_LOCKOUT) Then

     objCSVFile.Write adoRecordset.Fields("name").Value & "," 
     objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("mail").Value & ""
     objCSVFile.Writeline  ' New Line

    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

 objCSVFile.Close

' close ado connections.
adoRecordset.Close
adoConnection.Close

' AD Locked-Out Users properties are exported successfully as CSV File

Export Locked-Out AD users to CSV file by dynamic CSV path using VBScript

1. Copy the below example vbscript code and paste it in notepad or a vbscript editor.
2. Save the file with a .vbs extension, for example: ExportLockedoutADUsersbyDynamicPath.vbs
3. Double-click the vbscript file (or Run this file from command window) to export Locked-out AD users.
4. Give the CSV file path to save locked out user attributes and click OK to proceed.

VBScript Export Locked-Out AD User Accounts into CSV file

Click to get vbscript code as a file Download ExportLockedoutADUsersbyDynamicPath.vbs

' ExportLockedoutADUsersbyDynamicPath.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file
' by dynamically asking CSV file path from User.
' Author: https://www.morgantechspace.com/
' ------------------------------------------------------' 
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim csvFilePath 
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Asks CSV File path from user to save new file.
Do
   csvFilePath = InputBox ("Please enter CSV file path.- Ex: C:ADUsers.csv")
   If csvFilePath= "" then
      Msgbox "No file path entered"
   end if
Loop Until csvFilePath <> ""

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")

varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"

' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" 

' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"

' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"

' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Create CSV file 
Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objCSVFile = objFSO.CreateTextFile(csvFilePath , _ 
    ForWriting, True)

' Write selected AD Attributes as CSV columns(first line)
 objCSVFile.Write varAttributes 

 objCSVFile.Writeline ' New Line

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

   ' Retrieve values and write into CSV file.

' Ensure the user is still in locked out state by checking UF_LOCKOUT flag
   ' in the msDS-User-Account-Control-Computed attribute
      
     lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value

    If (lockoutFlag and Flag_LOCKOUT) Then

     objCSVFile.Write adoRecordset.Fields("name").Value & "," 
     objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," 
     objCSVFile.Write adoRecordset.Fields("mail").Value & ""
     objCSVFile.Writeline  ' New Line

    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop

 objCSVFile.Close

' close ado connections.
adoRecordset.Close
adoConnection.Close

' Locked-Out AD User properties are exported successfully as CSV File

Exported CSV File Output of Locked-Out AD Users:

VBScript to Find Locked Out AD Users

Advertisement

Leave a Comment