JSI Tip 8549. How can I report all locked accounts?


Using DSQUERY from the Active Directory command-line tools, I have scripted AccountLocked.bat to report all user accounts that are currently locked.

The syntax for using AccountLocked.bat is:

AccountLocked

AccountLocked.bat interrogates the userAccountControl attribute by calling userAccountControl.bat, which must be in a folder that is in your PATH.

The output is displayed on the console, using the following format:

UserName UserDistinguishedName

AccountLocked.bat contains:

@echo off
setlocal
set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0
for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do (
 call :testit %%b "%%c" %%a
)
endlocal
goto :EOF
:testit
if "%3" EQU 0 goto :EOF
set user=%1
set dn=%2
call userAccountControl %3 string
set locked=N
for /f "Tokens=*" %%L in ('@echo %string%^|FIND "LOCKOUT"') do (
 set locked=Y
)
if "%locked%" EQU "N" goto :EOF
set dn=%dn:  =%
set dn=%dn: "="%
@echo %user% %dn%



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish