Tuesday, July 14, 2009

VBScript Query All Domain Controllers for a User Account Status

Query all domain controllers for the status of a specified user account. This can come in handy when there are suspected replication problems in AD and some domain controllers are not up to date on a given account (locked, disabled, modified, etc.).


Const userid = "ServiceAccount20"
Const ou = "OU=ServiceAccounts,OU=IT,OU=Corp,DC=contoso,DC=com"

Const pageSize = 1000
Const ADS_SCOPE_SUBTREE = 2

Set dso = GetObject("LDAP:")

'----------------------------------------------------------------

Function Domain_LDAP()
Dim retval, objRootDSE
Set objRootDSE = GetObject("LDAP://RootDSE")
retval = objRootDSE.Get("defaultNamingContext")
Domain_LDAP = retval
End Function

'----------------------------------------------------------------
' function:
'----------------------------------------------------------------

Function CName(strval)
Dim tmp
tmp = Replace(strval, "CN=NTDS Settings,CN=", "")
CName = Split(tmp, ",")(0)
End Function

'----------------------------------------------------------------
' function:
'----------------------------------------------------------------

Function DomainControllers()
Dim objConnection, objCommand, objRecordSet
Dim dn, retval : retval = ""

dcn = Domain_LDAP()

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("ADSI Flag") = 1
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
"SELECT distinguishedName FROM " & _
"'LDAP://cn=Configuration," & dcn & "' " & _
"WHERE objectClass='nTDSDSA'"

objCommand.Properties("Page Size") = pageSize
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

wscript.echo "info: querying for list of domain controllers..."

Do Until objRecordSet.EOF
dn = objRecordSet.Fields("distinguishedName").Value
If retval <> "" Then
retval = retval & vbTab & dn
Else
retval = dn
End If
objRecordSet.MoveNext
Loop
DomainControllers = retval
End Function

'----------------------------------------------------------------

wscript.echo "info: user account = " & userid
dclist = DomainControllers()

wscript.echo "info: querying user account status from each domain controller..."

For each strDC in Split(dclist, vbTab)
cn = CName(strDC)
dcn = Replace(strDC, "CN=NTDS Settings,", "")

Set objUser = GetObject("LDAP://" & cn & "/CN=" & userid & "," & ou)
On Error Resume Next

' refer to http://support.microsoft.com/kb/305144

uac = objUser.Get("userAccountControl")
If err.Number <> 0 Then
wscript.echo err.Number & " - " & err.Description
Else
' add more cases below if you prefer, or logand the results
Select Case uac
Case 512: wscript.echo "info: " & cn & " = normal"
Case 16: wscript.echo "info: " & cn & " = locked"
Case 2: wscript.echo "info: " & cn & " = disabled"
Case 65536: wscript.echo "info: " & cn & " = never-expires"
Case Else: wscript.echo "info: " & cn & " = unknown: " & uac
End Select
End If
Next

No comments:

Post a Comment