Security administrators and managers frequently request a user account status report—that is, a report of which accounts in a domain are active, which are locked out, and which are disabled. Windows NT administrators must purchase a third-party tool such as BindView's Vulnerability Management Solutions or create a script that uses the Net User command to determine the status of user accounts. Windows Server 2003 and Windows 2000 administrators have an additional option: Active Directory (AD) user accounts have an attribute called userAccountControl that you can check to determine user account status. I've written a script that uses this attribute to generate a user account status report. Listing 1 shows an excerpt from userstatusrpt.vbs; you can download the full script from http://www.secadministrator.com.
I/O Parameters
The script requires two parameter values: the base distinguished name (DN—i.e., the DN of the domain that the script will search, for example, CN=USERS,DC=DOMAIN,DC=COM) and the name of the output file that will contain the script results. The syntax for invoking the script is
userstatusrpt.vbs <baseDN>
<outputfile>
Be sure to enter the entire command all on one line. The output is a comma-separated value (CSV) file that contains a line for each user and three values on each line: the user's DN and username and the user's account status (i.e., Active, Locked Out, or Disabled). . . .
