In this article, I am going write vbscript code to find and export locked out AD users to CSV file. Here, we are using two AD attributes msDS-User-Account-Control-Computed and LockoutTime to find currently locked-out users.
Export Locked Out AD Users to CSV:
1. Copy the below example vbscript code and paste it in notepad or in vbscript editor.
2. Here, I have given csv file path as “ADLockedUsers.csv”, this will create ADLockedUsers.csv file where you placed and execute this VB Script file. You can give your own file path like “C:\UsersAdministratorDesktopADLockedUsers.csv”
3. Save the file with a .vbs extension, for example: ExportLockedoutADUsers.vbs
4. Double-click the VBScript file (or Run this file from command window) to export locked out Active Directory users into csv file.
Click to get vbscript source code as a file: Download ExportLockedoutADUsers.vbs
' ExportLockedoutADUsers.vbs ' Sample VBScript to Find and Export Locked-out AD users into CSV file . ' ------------------------------------------------------' Option Explicit ' Initialize required variables. Dim adoCommand, adoConnection Dim varBaseDN, varFilter, varAttributes Dim objRootDSE, varDNSDomain, strQuery, adoRecordset Dim objFSO, objCSVFile Dim lockoutFlag Const Flag_LOCKOUT = 16 ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") varDNSDomain = objRootDSE.Get("defaultNamingContext") varBaseDN = "<LDAP://" & varDNSDomain & ">" ' varBaseDN is Domain DN, you can give your own OU DN instead of getting from "defaultNamingContext" ' like varBaseDN = "<LDAP://OU=TestOU,DC=Domain,DC=com>" ' Filter to list locked-out user objects. varFilter = "(&(objectCategory=person)(objectClass=user)(SAMAccountType=805306368)(LockoutTime>=1))" ' Comma delimited list of attribute values to retrieve. varAttributes = "name,samaccountname,distinguishedname,mail" ' Construct the LDAP syntax query. strQuery = varBaseDN & ";" & varFilter & ";" & varAttributes & ",msDS-User-Account-Control-Computed;subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 1000 adoCommand.Properties("Timeout") = 20 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Create CSV file Const ForWriting = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") ' Here, I have given CSV file path as "ADLockedUsers.csv", this will create ADUsers.csv file ' where you placed and execute this VB Script file. You can give your own file path ' like "C:\UsersAdministratorDesktopADLockedUsers.csv" Set objCSVFile = objFSO.CreateTextFile("ADLockedUsers.csv", _ ForWriting, True) ' Write selected AD Attributes as CSV columns(first line) objCSVFile.Write varAttributes objCSVFile.Writeline ' New Line ' Enumerate the resulting recordset, retrieve values and write into CSV file. Do Until adoRecordset.EOF ' Ensure the user is still in locked-out state by checking UF_LOCKOUT flag ' in the msDS-User-Account-Control-Computed attribute lockoutFlag = adoRecordset.Fields("msDS-User-Account-Control-Computed").Value If (lockoutFlag and Flag_LOCKOUT) Then objCSVFile.Write adoRecordset.Fields("name").Value & "," objCSVFile.Write adoRecordset.Fields("samaccountname").Value & "," objCSVFile.Write adoRecordset.Fields("distinguishedname").Value & "," objCSVFile.Write adoRecordset.Fields("mail").Value & "" objCSVFile.Writeline ' New Line End If ' Move to the next record in the recordset. adoRecordset.MoveNext Loop objCSVFile.Close ' close ado connections. adoRecordset.Close adoConnection.Close ' Active Directory Locked-Out User properties are exported successfully as CSV File
Exported CSV File Output of Locked-Out AD Users:
Advertisement