Using DSQUERY from the
Active Directory command-line tools,
I have scripted AccountLocked.bat to report all user accounts that are currently locked.
The syntax for using AccountLocked.bat is:
AccountLocked
AccountLocked.bat interrogates the userAccountControl attribute by calling userAccountControl.bat, which must be in a folder that is in your PATH.
The output is displayed on the console, using the following format:
UserName UserDistinguishedName
AccountLocked.bat contains:
@echo off setlocal set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr userAccountControl sAMAccountName distinguishedName -limit 0 for /f "Skip=1 Tokens=1,2*" %%a in ('%qry%') do ( call :testit %%b "%%c" %%a ) endlocal goto :EOF :testit if "%3" EQU 0 goto :EOF set user=%1 set dn=%2 call userAccountControl %3 string set locked=N for /f "Tokens=*" %%L in ('@echo %string%^|FIND "LOCKOUT"') do ( set locked=Y ) if "%locked%" EQU "N" goto :EOF set dn=%dn: =% set dn=%dn: "="% @echo %user% %dn%
0 comments
Hide comments