VBScript program demonstrating an efficient way to retrieve the names of all users that are currently locked out. This program outputs the Distinguished Names of all locked out users. One method sometimes recommended is to retrieve all user objects where the value assigned to the lockoutTime attribute is greater than 0. The filter suggested is:
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
When an account is locked out (due to too many bad password attempts), the lockoutTime attribute is
assigned a value corresponding to the current date and time (in UTC). The value is Integer8, meaning
it is a 64-bit value representing the date and time as the number of 100-nanosecond intervals since
12:00 AM January 1, 1601. The account will be locked out for the lockoutDuration, which is an attribute
of the domain. The lockoutDuration attribute of the domain object is also Integer8. Once the
lockoutDuration has expired, the account is no longer locked out.
If the value of lockoutTime is 0 (zero), the account is not locked out. That's the logic behind the
query filter above. However, when an account is locked out, the value is not reset to 0 until the
user successfully logs into the domain. That means that the above filter will retrieve accounts that
are no longer locked out, but the user has not yet logged in since the domain lockout duration
expired.
The proper way to tell if an account is locked out is to add the value of the lockoutTime attribute
to the domain lockoutDuration and compare to the current date and time. This program converts the
domain lockoutDuration to minutes and subtracts this value from the current date and time. This
results in the critical time in the past. Any accounts locked out after this time are still locked
out. The program converts this date and time (in UTC) to the equivalent Integer8 value and queries
for all user accounts with a value of lockoutTime greater than this value.
The program should be run at a command prompt with the cscript host. The output can be redirected
to a text file. For example, you can run the program with the following command:
cscript //nologo FindLockedOutUsers.vbs > output.txt
FindLockedOutUsers.txt <<-- Click here to view or download the program
A PowerShell
script with the same functionality is linked below:
PSFindLockedOutUsers.txt <<-- Click here to view or download the program