In this article, I am going write vbscript code to find and export locked out AD users to CSV file. Here, we are using two AD attributes msDS-User-Account-Control-Computed and LockoutTime to find currently locked-out users.
Export Locked Out AD Users to CSV:
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export locked out Active Directory users into csv file.
Click to get vbscript source code as a file: Download ExportLockedoutADUsers.vbs
' ExportLockedoutADUsers.vbs
' Sample VBScript to Find and Export Locked-out AD users into CSV file .
' ------------------------------------------------------'
Option Explicit
' Initialize required variables.
Dim adoCommand, adoConnection
Dim varBaseDN, varFilter, varAttributes
Dim objRootDSE, varDNSDomain, strQuery, adoRecordset
Dim objFSO, objCSVFile
Dim lockoutFlag
Const Flag_LOCKOUT = 16
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
varDNSDomain = objRootDSE.Get("defaultNamingContext")
varBaseDN = "<LDAP://" & varDNSDomain & ">"
' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext"
' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>"
' Filter to list locked-out user objects.
varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))"
' Comma delimited list of attribute values to retrieve.
varAttributes = "name,samaccountname,distinguishedname,mail"
' Construct the LDAP syntax query.
strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 1000
adoCommand.Properties("Timeout") = 20
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Create CSV file
Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file
' where you placed and execute this VB Script file. You can give your own file path
' like "C:\UsersAdministratorDesktopADLockedUsers.csv"
Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _
ForWriting, True)
' Write selected AD Attributes as CSV columns(first line)
objCSVFile.Write varAttributes
objCSVFile.Writeline ' New Line
' Enumerate the resulting recordset, retrieve values and write into CSV file.
Do Until adoRecordset.EOF
' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag
' in the msDS-User-Account-Control-Computed attribute
lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value
If (lockoutFlag and Flag_LOCKOUT) Then
objCSVFile.Write adoRecordset.Fields("name").Value & ","
objCSVFile.Write adoRecordset.Fields("samaccountname").Value & ","
objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & ","
objCSVFile.Write adoRecordset.Fields("mail").Value & ""
objCSVFile.Writeline ' New Line
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
objCSVFile.Close
' close ado connections.
adoRecordset.Close
adoConnection.Close
' Active Directory Locked-Out User properties are exported successfully as CSV File
Exported CSV File Output of Locked-Out AD Users:
Advertisement