VBScript program to output all users in the domain that are locked out. For each locked out user,
the program outputs the Distinguished Name of the user, the date and time when an incorrect
password was last used, the number of bad password attempts on the domain controller, and the
domain controller where the last bad password was attempted.
Using the LDAP provider, the userAccountControl attribute gives incorrect results when it is queried for locked out status. Also, the IsAccountLocked property method of the LDAP provider gives incorrect results. There are two methods that can be used to identify locked out accounts. One is to use the LDAP provider to retrieve the lockoutTime attribute of users. This is a 64-bit number representing the last time the account was locked. This date/time must be compared to the current time and the domain lockout policy to determine if the account is still locked out. A second method is to use the IsAccountLocked property method of the WinNT provider. This program uses this second method to create an array of user accounts that are locked out.
For each user account found to be locked, the program determines when a bad password was last used, which domain controller the bad password attempt was made against, and how many bad password attempts have been made on that domain controller for the user. This information can be useful for determining if a hacker was attempting to break in.
The program retrieves the badPasswordTime and badPwdCount attributes of the user object to get the required information. Because these two attributes are not replicated, a different value is stored on every Domain Controller in the domain. The program first uses ADO to generate a list of all domain controllers. Then, the program uses ADO to search the copy of Active Directory on each Domain Controller and return all user objects. This set of users is compared to the users previously found to be locked out. For each locked out user on each domain controller, the program retrieves the badPasswordTime and badPwdCount attributes. The largest (latest) badPasswordTime is retained in a dictionary object. The name of the domain controller that has this latest badPasswordTime, and the badPwdCount value on that domain controller, are also retained in dictionary objects.
Once all domain controllers have been searched, the program outputs one line for each locked out user. The program outputs the user Distinguished Name, the date/time when the latest bad password attempt was made, the number of bad password attempts on the domain controller, and the DNS host name of the domain controller that rejected the last bad password attempt. The output can be redirected to a text file. The text file can be imported to a spreadsheet program for analysis.
The program should be run at a command prompt with the cscript host. The output can be redirected to a text file. For example, you can run the program with the following command:
cscript //nologo LockedUsers.vbs > output.txt
LockedUsers.txt <<-- Click here to view or download the program