Submitted By: Eric Payne
Checks for locked-out user accounts in a specified Active Directory OU (and any sub-OUs). If a locked account is found the script creates an event that can be identified by a MOM event rule.
'#####================================================================================
'## Title: ADAccountLockedOutByOU.vbs
'## Author: Eric Payne
'## Client\Company: xxxx
'## Date: 10/16/2006
'##
'## Purpose:
'## 1. Loop through OU passed in recursively and checks to see if any AD user account(s)
'## are locked out. If an account is found to be locked out script will create an event to
'## be picked out by a mom event event rule and will raise an alert.
'##
'## Requirements:
'## 1. Mom Script Parameter of "OU"
'## Example: "LDAP://OU=Service Accounts,OU=USA,DC=Domain,DC=com"
'## Note: You can supply multiple OU's seperated by a semi colon
'##
'## Issues:
'## 1.
'##
'## Revisions:
'## 1.
'##
'## To Do Items:
'## 1.
'## 2.
'## 3.
'##
'## Basic Logic:
'## 1. Set internal variables based on passed in parameters
'## 2. Loop through Each OU
'## 4. Check to see if user account is locked out
'#####================================================================================
On Error Resume Next
'Declarations
Dim objParams 'Object for Parameters
Dim strOU 'String for one Organizational Unit
Dim strOUs 'String for list of OU's
Dim arrOUs 'Arry of OU's
'Event Type constants
Const EVENT_TYPE_ERROR = 1
Const EVENT_TYPE_WARNING = 2
Const EVENT_TYPE_INFORMATION = 4
'## (1) Set variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>
Set objParams = ScriptContext.Parameters
strOUs = objParams.Get("OU")
'Testing:
'strOUs = "LDAP://OU=Service Accounts,OU=USA,DC=Domain,DC=com"
'Fill arrOus with OU's passed in
if instr(strOUs,";") > 0 then
arrOUs = split(strOUs,";")
Else
arrOUs = array("")
arrOUs(0)= strOUs
End if
'## (2) Loop through each OU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>
For each strOU in arrOUs
ListUsers strOU
Next
if err <> 0 then CreateEvent 1002,EVENT_TYPE_ERROR,"ADAccountLockedOut",err.number & " " & err.Description
Sub ListUsers(OU)
Set colUsers = GetObject(OU)
For each objItem in colUsers
If objItem.Class = "user" then
Set objUser = objItem
if not objUser.AccountDisabled Then
if objUser.IsAccountLocked Then
CreateEvent 1001,EVENT_TYPE_ERROR,"ADAccountLockedOut",objUser.Name & " account is locked out"
End if
End if
End if
if objItem.Class = "organizationalUnit" Then
ListUsers objItem.adspath
End if
Next
End Sub
Sub CreateEvent(intEventNumber,intEventType,strEventSource,strEventMessage)
Set objEvent = ScriptContext.CreateEvent()
objEvent.EventSource = strEventSource
objEvent.EventNumber = intEventNumber
objEvent.EventType = intEventType
objEvent.Message = strEventMessage
ScriptContext.Submit objEvent
End Sub
'#####================================================================================
'## Title: ADAccountLockedOutByOU.vbs
'## Author: Eric Payne
'## Client\Company: xxxx
'## Date: 10/16/2006
'##
'## Purpose:
'## 1. Loop through OU passed in recursively and checks to see if any AD user account(s)
'## are locked out. If an account is found to be locked out script will create an event to
'## be picked out by a mom event event rule and will raise an alert.
'##
'## Requirements:
'## 1. Mom Script Parameter of "OU"
'## Example: "LDAP://OU=Service Accounts,OU=USA,DC=Domain,DC=com"
'## Note: You can supply multiple OU's seperated by a semi colon
'##
'## Issues:
'## 1.
'##
'## Revisions:
'## 1.
'##
'## To Do Items:
'## 1.
'## 2.
'## 3.
'##
'## Basic Logic:
'## 1. Set internal variables based on passed in parameters
'## 2. Loop through Each OU
'## 4. Check to see if user account is locked out
'#####================================================================================
On Error Resume Next
'Declarations
Dim objParams 'Object for Parameters
Dim strOU 'String for one Organizational Unit
Dim strOUs 'String for list of OU's
Dim arrOUs 'Arry of OU's
'Event Type constants
Const EVENT_TYPE_ERROR = 1
Const EVENT_TYPE_WARNING = 2
Const EVENT_TYPE_INFORMATION = 4
'## (1) Set variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>
Set objParams = ScriptContext.Parameters
strOUs = objParams.Get("OU")
'Testing:
'strOUs = "LDAP://OU=Service Accounts,OU=USA,DC=Domain,DC=com"
'Fill arrOus with OU's passed in
if instr(strOUs,";") > 0 then
arrOUs = split(strOUs,";")
Else
arrOUs = array("")
arrOUs(0)= strOUs
End if
'## (2) Loop through each OU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>
For each strOU in arrOUs
ListUsers strOU
Next
if err <> 0 then CreateEvent 1002,EVENT_TYPE_ERROR,"ADAccountLockedOut",err.number & " " & err.Description
Sub ListUsers(OU)
Set colUsers = GetObject(OU)
For each objItem in colUsers
If objItem.Class = "user" then
Set objUser = objItem
if not objUser.AccountDisabled Then
if objUser.IsAccountLocked Then
CreateEvent 1001,EVENT_TYPE_ERROR,"ADAccountLockedOut",objUser.Name & " account is locked out"
End if
End if
End if
if objItem.Class = "organizationalUnit" Then
ListUsers objItem.adspath
End if
Next
End Sub
Sub CreateEvent(intEventNumber,intEventType,strEventSource,strEventMessage)
Set objEvent = ScriptContext.CreateEvent()
objEvent.EventSource = strEventSource
objEvent.EventNumber = intEventNumber
objEvent.EventType = intEventType
objEvent.Message = strEventMessage
ScriptContext.Submit objEvent
End Sub