' ------------------------------------------------------------------------- ' From the book Inside Active Directory, ISBN 0-201-61621-1 ' Copyright (C) 2002 by Addison-Wesley ' Script by Sakari Kouti (see http://www.kouti.com) ' You have a royalty-free right to use, modify, reproduce and distribute ' this script (and/or any modified version) in any way you find useful, ' provided that you agree that Addison-Wesley or Sakari Kouti has no ' warranty, obligations or liability for the script. If you modify ' the script, you must retain this copyright notice. ' ------------------------------------------------------------------------- Option Explicit Const UF_SCRIPT = &H0001 Const UF_ACCOUNTDISABLE = &H0002 Const UF_HOMEDIR_REQUIRED = &H0008 Const UF_LOCKOUT = &H0010 Const UF_PASSWD_NOTREQD = &H0020 Const UF_PASSWD_CANT_CHANGE = &H0040 Const UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H0080 Const UF_DONT_EXPIRE_PASSWD = &H10000 Const UF_MNS_LOGON_ACCOUNT = &H20000 Const UF_SMARTCARD_REQUIRED = &H40000 Const UF_TRUSTED_FOR_DELEGATION = &H80000 Const UF_NOT_DELEGATED = &H100000 Const UF_USE_DES_KEY_ONLY = &H200000 Const UF_DONT_REQUIRE_PREAUTH = &H400000 Const UF_TEMP_DUPLICATE_ACCOUNT = &H0100 'local account Const UF_NORMAL_ACCOUNT = &H0200 'global account Const UF_INTERDOMAIN_TRUST_ACCOUNT = &H0800 'incoming trust Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000 'ws or ms comp Const UF_SERVER_TRUST_ACCOUNT = &H2000 'dc computer Const E_VBS_OBJECT_REQUIRED = 424 Dim objDSE, objUser, intUserFlags, objLargeInt Dim bolLockedOut, bolMustChange Set objDSE = GetObject("LDAP://rootDSE") Set objUser = GetObject("LDAP://CN=Guest,CN=Users," & _ objDSE.Get("defaultNamingContext")) objUser.GetInfo On Error Resume Next Err = 0 Set objLargeInt = objUser.lockoutTime If Err = E_VBS_OBJECT_REQUIRED Then bolLockedOut = False Else bolLockedOut = _ (objLargeInt.HighPart <> 0) Or (objLargeInt.LowPart <> 0) End If On Error Goto 0 'resume normal error handling Set objLargeInt = objUser.pwdLastSet bolMustChange = _ (objLargeInt.HighPart = 0) And (objLargeInt.LowPart = 0) WScript.Echo vbCrLf & "Account Options for " & objUser.Name WScript.Echo vbCrLf & "=== With Property Methods ===" & vbCrLf WScript.Echo "AccountDisabled : " & objUser.AccountDisabled WScript.Echo "PasswordRequired : " & objUser.PasswordRequired WScript.Echo "Doesn't work: IsAccountLocked : " & _ objUser.IsAccountLocked WScript.Echo vbCrLf & "=== With userAccountControl ===" & vbCrLf intUserFlags = objUser.Get("userAccountControl") WScript.Echo "UserAccountControl value is " & _ intUserFlags & " (hex " & Hex(intUserFlags) & ")" & vbCrLf WScript.Echo "Account locked out : " & bolLockedOut WScript.Echo "" WScript.Echo "User must change password at next logon: " & _ bolMustChange WScript.Echo "User cannot change password : " & _ "Determined by Change Password ACEs" WScript.Echo "Password never expires : " & _ ((intUserFlags And UF_DONT_EXPIRE_PASSWD) <> 0) WScript.Echo "Store password using reversible encryption : " & _ ((intUserFlags And UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED) _ <> 0) WScript.Echo "Account is disabled : " & _ ((intUserFlags And UF_ACCOUNTDISABLE) <> 0) WScript.Echo "Smart card is required for interactive logon : " & _ ((intUserFlags And UF_SMARTCARD_REQUIRED) <> 0) WScript.Echo "Account is trusted for delegation : " & _ ((intUserFlags And UF_TRUSTED_FOR_DELEGATION) <> 0) WScript.Echo "Account is sensitive and cannot be delegated : " & _ ((intUserFlags And UF_NOT_DELEGATED) <> 0) WScript.Echo "Use DES encryption types for this account : " & _ ((intUserFlags And UF_USE_DES_KEY_ONLY) <> 0) WScript.Echo "Do not require Kerberos pre-authentication : " & _ ((intUserFlags And UF_DONT_REQUIRE_PREAUTH) <> 0) WScript.Echo "" WScript.Echo "Password not required : " & _ ((intUserFlags And UF_PASSWD_NOTREQD) <> 0) WScript.Echo "MNS_LOGON_ACCOUNT : " & _ ((intUserFlags And UF_MNS_LOGON_ACCOUNT) <> 0) WScript.Echo "Not used: Logon script required : " & _ ((intUserFlags And UF_SCRIPT) <> 0) WScript.Echo "Not used: Home folder required : " & _ ((intUserFlags And UF_HOMEDIR_REQUIRED) <> 0) WScript.Echo "Not used: Account locked out : " & _ ((intUserFlags And UF_LOCKOUT) <> 0) WScript.Echo "Not used: UF_PASSWD_CANT_CHANGE : " & _ ((intUserFlags And UF_PASSWD_CANT_CHANGE) <> 0)