>I'm trying to create a query for account status (locked
>My problem is that I have multiple OU's and I'd like to
>in multiple OU's without changing the OU section of this
>Set objUser = GetObject _
>If objUser.AccountDisabled = FALSE Then
>WScript.echo "The account is enabled."
>WScript.echo "The account is disabled."
>Is there a way to do a wildcard on the OU's so I dont
have to change
>the OU names when I change the user name? If not, what's
the best way
>to go about doing this? I'd love to put together a web
page so people
>could just plug in the CN name and get a result.
The best way to search AD is to use ADO. ADO can find a
user where you know the cn, but not where in AD the object
is located. There is no wildcard syntax for GetObject.
You mention locked out accounts, but I think you mean
disabled, since you use the AccountDisabled method in your
code example. ADO can filter on and retrieve attributes.
However, AccountDisabled is a method, not an attribute.
Instead, you have to filter or retrieve the
userAccountControl attribute, one bit of which indicates
if the account is disabled. The following uses ADO to
retrieve all users in the domain, then outputs the DN of
those that are disabled:
Dim objConnection, objCommand, objRootDSE
Dim strDNSDomain, strFilter, strQuery, objRecordSet
Dim strDN, intFlag
Const ADS_UF_ACCOUNTDISABLE = &H02
' Use ADO to search Active Directory.
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strFilter = "(&(objectCategory=person)(objectClass=user))"
strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter _
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
' Enumerate all users. Check if accounts disabled.
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
intFlag = objRecordSet.Fields("userAccountControl")
If (intFlag And ADS_UF_ACCOUNTDISABLE) <> 0 Then
Wscript.Echo "Account disabled: " & strDN
This VBScript is meant to be run at a command prompt with
the cscript host. The output could be redirected to a text
file. You would have to modify for a web page.
If you only want to check one user, you would replace the
statement assigning strFilter above as follows, if you
know the cn (common name):
strCN = "Test User"
strFilter = "(&(objectCategory=person)" _
& "(objectClass=user)(cn=" & strCN & "))"
I hope this helps.