VBScript–Active Directory Account Attributes

Below is a script that will output a list of Active Directory account attributes (password never expires, user cannot change password, etc) for an individual account.

Set objUser = GetObject("LDAP://cn=UserName,ou=OUName,dc=dcprefix,dc=dcsuffix")

intUAC = objUser.Get("userAccountControl")

Const ADS_UF_SCRIPT = &H1

Const ADS_UF_ACCOUNTDISABLE = &H2

Const ADS_UF_HOMEDIR_REQUIRED = &H8

Const ADS_UF_LOCKOUT = &H10

Const ADS_UF_PASSWD_NOTREQD = &H20

Const ADS_UF_PASSWD_CANT_CHANGE = &H40

Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80

Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100

Const ADS_UF_NORMAL_ACCOUNT = &H200

Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800

Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000

Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000

Const ADS_UF_SMARTCARD_REQUIRED = &H40000

Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000

Const ADS_UF_NOT_DELEGATED = &H100000

Const ADS_UF_USE_DES_KEY_ONLY = &H200000

Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000

Const ADS_UF_PASSWORD_EXPIRED = &H800000

Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000

 

Dim arrUserAttrib(19)

 

Set dictUser = CreateObject("Scripting.Dictionary")

dictUser.CompareMode = TextCompare

dictUser.Add "List of account attributes currently enabled:", ""

 

arrUserAttrib(0) = ADS_UF_ACCOUNTDISABLE

arrUserAttrib(1) = ADS_UF_HOMEDIR_REQUIRED

arrUserAttrib(2) = ADS_UF_LOCKOUT

arrUserAttrib(3) = ADS_UF_PASSWD_NOTREQD

arrUserAttrib(4) = ADS_UF_PASSWD_CANT_CHANGE

arrUserAttrib(5) = ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

arrUserAttrib(6) = ADS_UF_TEMP_DUPLICATE_ACCOUNT

arrUserAttrib(7) = ADS_UF_NORMAL_ACCOUNT

arrUserAttrib(8) = ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

arrUserAttrib(9) = ADS_UF_WORKSTATION_TRUST_ACCOUNT

arrUserAttrib(10) = ADS_UF_SERVER_TRUST_ACCOUNT

arrUserAttrib(11) = ADS_UF_DONT_EXPIRE_PASSWD

arrUserAttrib(12) = ADS_UF_MNS_LOGON_ACCOUNT

arrUserAttrib(13) = ADS_UF_SMARTCARD_REQUIRED

arrUserAttrib(14) = ADS_UF_TRUSTED_FOR_DELEGATION

arrUserAttrib(15) = ADS_UF_NOT_DELEGATED

arrUserAttrib(16) = ADS_UF_USE_DES_KEY_ONLY

arrUserAttrib(17) = ADS_UF_DONT_REQUIRE_PREAUTH

arrUserAttrib(18) = ADS_UF_PASSWORD_EXPIRED

arrUserAttrib(19) = ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

 

For Each attrib In arrUserAttrib

    If (intUAC AND attrib) <> 0 Then

        AddUserFlag(attrib)

    End If

Next

 

Function AddUserFlag(attrib)

    Select Case attrib

        Case 2

            dictUser.Add " - The user account is disabled. (ADS_UF_ACCOUNTDISABLE)", ""

        Case 8

            dictUser.Add " - The user account home directory is required. (ADS_UF_HOMEDIR_REQUIRED)", ""

        Case 16

            dictUser.Add " - The account is currently locked out. (ADS_UF_LOCKOUT)", ""

        Case 32

            dictUser.Add " - No password is required. (ADS_UF_PASSWD_NOTREQD)", ""

        Case 64

            dictUser.Add " - The user cannot change the password. (ADS_UF_PASSWD_CANT_CHANGE)", ""

        Case 128

            dictUser.Add " - The user can send an encrypted password. (ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)", ""

        Case 256

            dictUser.Add " - The users primary account is in another domain. (ADS_UF_TEMP_DUPLICATE_ACCOUNT)", ""

        Case 512

            dictUser.Add " - The account type is normal. (ADS_UF_NORMAL_ACCOUNT)", ""

        Case 2048

            dictUser.Add " - The account is setup as an Interdomain Trust Account. (ADS_UF_INTERDOMAIN_TRUST_ACCOUNT)", ""

        Case 4096

            dictUser.Add " - This is a computer account for a Windows 2000 Professional or Windows 2000 Server that is a member of this domain. (ADS_UF_WORKSTATION_TRUST_ACCOUNT)", ""

        Case 8192

            dictUser.Add " - This is a computer account for a system backup domain controller that is a member of this domain. (ADS_UF_SERVER_TRUST_ACCOUNT)", ""

        Case 65536

            dictUser.Add " - The user account password is set to not expire. (ADS_UF_DONT_EXPIRE_PASSWD)", ""

        Case 131072

            dictUser.Add " - This is an Majority Node Set (MNS) logon account. (ADS_UF_MNS_LOGON_ACCOUNT)", ""

        Case 262144

            dictUser.Add " - The user must log on using a smart card. (ADS_UF_SMARTCARD_REQUIRED)", ""

        Case 524288

            dictUser.Add " - The user account is trusted for Kerberos delegation. (ADS_UF_TRUSTED_FOR_DELEGATION)", ""

        Case 1048576

            dictUser.Add " - The user account security context will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. (ADS_UF_NOT_DELEGATED)", ""

        Case 2097152

            dictUser.Add " - The user account is restricted this to use only Data Encryption Standard (DES) encryption types for keys. (ADS_UF_USE_DES_KEY_ONLY)", ""

        Case 4194304

            dictUser.Add " - The user account does not require Kerberos preauthentication for logon. (ADS_UF_DONT_REQUIRE_PREAUTH)", ""

        Case 8388608

            dictUser.Add " - The user account is expired. (ADS_UF_PASSWORD_EXPIRED)", ""

        Case 16777216

            dictUser.Add " - The user account is enabled for delegation. (ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION)", ""

    End Select

End Function

 

coldictUser = dictUser.Keys

 

For Each key in coldictUser

    Wscript.Echo key

Next

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: