Enterprise Server Strategies for the CIO- determine if account is enabled or disabled
- retrieve user information such as first name, last name, phone number,
account creation date, etc.
- find out when a user last logged in
- find out when a user's password was last set and when it will expire
- determine if an account is locked out and if it is, unlock it
- check to see if a user's account is set to expire and when
- set a user's account to expire or to never expire
- list all groups in Active Directory
- list all groups that a user is a member of
- add a user to a specific group
While coming up with methods to do each of the tasks mentioned above, I created a 'master' script that referenced each task. I hope you find this script useful. To use it, simply copy the following into a text file using a text editor (I recommend Notepad++), name the file 'ADScripting.vbs' (or something similar), modify the AD specific lines to indicate a specific user, OU and group in your environment, go to a command line, change to the directory that contains the script and type: cscript ADScripting.vbs > UserInfo.txt
'***** Initial Setup *****
Dim StrOU, strUser, strDNSDomain, objCommand
Dim objRootLDAP, objGroup, objUser, strQuery
Dim strDN, objManager, strDateCreated
' Use ADO to get Active Directory information
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
'Get Time Zone Information from local computer
dtmLatestLogon = #1/1/1601#
dtmWhenCreated = #1/1/1601#
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colTimeZones = objWMIService.ExecQuery("Select * From
Win32_TimeZone")
For Each objTimeZone in colTimeZones
intTimeZoneBias = objTimeZone.Bias
intDaylightBias = objTimeZone.DaylightBias
Next
'***** Define User and Group Information *****
'##### -- Change These Values -- #####
strUser = "CN=TestUser," ' Name of existing AD user
strOU = "OU=Test," ' Name of OU that user is in
strGroup = "CN=Test Group," ' Name of existing group to add user to
'##### -- End Section -- #####
'***** Bind to AD and get LDAP name
set objRootLDAP = GetObject("LDAP://RootDSE")
strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
'***** Retrieve User Object for specified user *****
set objUser = GetObject ("LDAP://" & strUser & strOU & strDNSDomain)
'***** Check if account is Enabled or Disabled *****
If objUser.AccountDisabled=True Then
Wscript.Echo objUser.DisplayName & "'s account is DISABLED."
Else
Wscript.Echo objUser.DisplayName & "'s account is NOT DISABLED."
End If
'Wscript.Quit
'***** Get User Account Info *****
Wscript.Echo "First Name: " & objUser.Name
Wscript.Echo "Last Name: " & objUser.sn
Wscript.Echo "Title: " & objUser.Title
Wscript.Echo "SAMAccountName: " & objUser.SAMAccountName
Wscript.Echo "Display Name: " & objUser.DisplayName
Wscript.Echo "Distinguished Name: " & objUser.DistinguishedName
Wscript.Echo "Email Address: " & objUser.mail
Wscript.Echo "Telephone Number: " & objUser.TelephoneNumber
Wscript.Echo "Mobile Phone: " & objUser.mobile
Wscript.Echo "Logon Count: " & objUser.LogonCount
Wscript.Echo "Manager: " & objUser.Manager
'Account Creation Date
dtmWhenCreated = objUser.WhenCreated
dtmWhenCreated = DateAdd("n", intTimeZoneBias, dtmWhenCreated)
dtmWhenCreated = DateAdd("n", -intDaylightBias, dtmWhenCreated)
Wscript.Echo "Account Created: " & dtmWhenCreated
'Wscript.Quit
'***** Get Last Logon Information for User *****'
Wscript.Echo "Retrieving last logon information for " & strUser & "...."
Const ADS_SCOPE_SUBTREE = 2
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT ADsPath FROM 'LDAP://" & strConfigurationNC & "' WHERE
objectClass='nTDSDSA'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objParent =
GetObject(GetObject(objRecordset.Fields("ADsPath")).Parent)
strDCName = objParent.dnsHostName
Set objLastLogon = objUser.Get("lastLogon")
intLastLogonTime = objLastLogon.HighPart * (2^32) +
objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
dtmLastLogon = intLastLogonTime + #1/1/1601#
dtmLastLogon = DateAdd("n", intTimeZoneBias, dtmLastLogon)
dtmLastLogon = DateAdd("n", -intDaylightBias, dtmLastLogon)
If dtmLastLogon >
Requires Free Membership to View
dtmLatestLogon Then
dtmLatestLogon = dtmLastLogon
End If
objRecordSet.MoveNext
Loop
If dtmLatestLogon = "1/1/1601" Then
wscript.Echo "Logon information not found for user: " &
objUser.DisplayName & " Verify user exists and that OU is correct."
Else
Wscript.Echo "Last logon for " & objUser.DisplayName & ": " &
dtmLatestLogon
msgBox "Last logon for " & objUser.DisplayName & ": " &
dtmLatestLogon
End If
'Wscript.Quit
'***** Check for Password Last Set and Password Expiration *****
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
Const ONE_HUNDRED_NANOSECOND = .000000100
Const SECONDS_IN_DAY = 86400
intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then ' LINE
11
WScript.Echo "The password does not expire."
Else
dtmValue = objUser.PasswordLastChanged
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then ' LINE
16
WScript.Echo "The password has never been set."
Else
intTimeInterval = Int(Now - dtmValue)
WScript.Echo "The password was last set on " & _
DateValue(dtmValue) & " at " & TimeValue(dtmValue) & vbCrLf &
_
"The difference between when the password was last" & vbCrLf &
_
"set and today is " & intTimeInterval & " days"
End If
Set objDomain = GetObject("LDAP://" & strDNSDomain)
Set objMaxPwdAge = objDomain.Get("maxPwdAge")
If objMaxPwdAge.LowPart = 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Else
dblMaxPwdNano = _
Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
' LINE
37
dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY) ' LINE
38
WScript.Echo "Maximum password age is " & dblMaxPwdDays & "
days"
If intTimeInterval >= dblMaxPwdDays Then
WScript.Echo "The password has expired."
Else
WScript.Echo "The password will expire on " & _
DateValue(dtmValue + dblMaxPwdDays) & " (" & _
Int((dtmValue + dblMaxPwdDays) - Now) & " days from
today)."
End If
End If
End If
'Wscript.Quit
'***** Check to see if Account is Locked Out ****
If objUser.IsAccountLocked = True Then
WScript.Echo objUser.DisplayName & "'s account is locked out."
Else
WScript.Echo objUser.DisplayName & "'s account is NOT locked out."
End If
'***** Unlock the account *****
'##### -- Uncomment following lines to unlock account -- #####
'Wscript.Echo "Unlocking " & objUser.DisplayName & "'s account...."
'objUser.IsAccountLocked=False
'objUser.SetInfo
'##### -- End Section -- #####
'Wscript.Quit
'***** Check for Account Expiration *****
Wscript.Echo "Checking account expiration for " & objUser.DisplayName &
"...."
On Error Resume Next
dtmAccountExpiration = objUser.AccountExpirationDate
If Err.Number = -2147467259 OR dtmAccountExpiration = #1/1/1970# Then
WScript.Echo "This account has no expiration date."
Else
WScript.Echo "Account expiration date: " &
objUser.AccountExpirationDate
End If
'Wscript.Quit
'***** Set Account Expiration Date *****
'##### -- Uncomment the following lines to set account expiration --
#####
'Wscript.Echo "Setting account expiration to 12/11/2020"
'objUser.AccountExpirationDate=#12/11/2020#
'objUser.SetInfo
'Wscript.Echo "Account Expiration is: " & objUser.AccountExpirationDate
'##### -- End Section -- #####
'Wscript.Quit
'***** Set Account to never Expire *****
'##### -- Uncomment the following lines to remove account expiration --
#####
'Wscript.Echo "Removing Account Expiration..."
'objUser.AccountExpires=-1
'objUser.SetInfo
'##### -- End Section -- #####
'Wscript.Quit
'***** List All Groups in Active Directory *****
Wscript.Echo "Listing ALL AD Groups..."
strQuery = ";(objectClass=group);distinguishedName;subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
Wscript.Echo "No groups found"
objConnection.Close
End If
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
set objGroup = GetObject("LDAP://" & strDN)
Wscript.Echo objGroup.SAMAccountName & " (" &
objGroup.DistinguishedName & ")"
objRecordSet.MoveNext
Loop
'Wscript.Quit
'***** List Groups that the user is a MemberOf *****
Dim UserGroupSid()
objUser.GetInfoEx Array("TokenGroups"), 0
UserGroups = objUser.Get("TokenGroups")
ReDim UserGroupSid(UBound(UserGroups))
Wscript.Echo objUser.DisplayName & " is a member of the following AD
Groups..."
For j = 0 To UBound(UserGroups)
UserGroupSid(j) = OctetToHexStr(UserGroups(j))
Set oGroup = GetObject("LDAP://")
Wscript.Echo oGroup.sAMAccountName 'Lists group names using friendly
names
Next
Function OctetToHexStr(bOctet)
Dim k
OctetToHexStr = ""
For k = 1 To Lenb(bOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(bOctet, k, 1))), 2)
Next
End Function
'Wscript.Quit
'***** Add User to a Group *****
'##### -- Uncomment the following lines to add user to group defined
above -- #####
'Wscript.Echo "Adding " & objUser.DisplayName & " to the " & strGroup &
" group..."
'set objGroup = GetObject("LDAP://" & strGroup & strOU & strDNSDomain)
'objGroup.add(objUser.ADSPath)
'##### -- End Section-- #####
Please let us know how useful you find this tip by rating it below! If you have a useful Windows tip, timesaver or workaround to share, submit it to our tip contest and you could win a prize!
This was first published in September 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation