检查用户账户密码状态V2
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ForWriting = 2
Const E_ADS_Property_Not_Found = &h8000500D
Set fso = CreateObject("Scripting.FileSystemObject")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
'用户需要将sha改成自己AD的DN名称
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select distinguishedName from " & _
"'LDAP://DC=sha,DC=local' where objectClass ='user' and objectClass <>'computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
'设置输出结果,用户可以自行修改文件名称和路径
OutFile = "passstate.csv"
Set txtStreamOut = fso.OpenTextFile(OutFile,ForWriting,true)
'结果集的表头信息
txtStreamOut.WriteLine "帐户名称,上次修改时间,上次修改时间距今几天,下一次修改时间,密码有效时间,账户状态"
Do Until objRecordSet.EOF
LDAPUser="LDAP://" +objRecordSet.Fields("distinguishedName").Value
'获得用户帐号信息
Set objUserLDAP = GetObject(LDAPUser)
intCurrentValue = objUserLDAP.Get("userAccountControl")
'根据控制位最后两位判断,如果最后两位是二进制10,说明账户被禁用
if (intCurrentValue and 3)=2 then
AccountControl = "账户被禁用"
else
AccountControl = "账户已启用"
end if
'判断用户密码是否设置为永不过期
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
OutText=objUserLDAP.Get("sAMAccountName") & ",密码永不过期,,,," & AccountControl
txtStreamOut.WriteLine OutText
Else
'如果用户密码没有设置为永不过期,
'获得最后一次修改密码的时间,并计算最后一次修改密码距今的时间
dtmValue = objUserLDAP.Passwordlastchanged
if err.number = E_ADS_Property_Not_Found then
intTimeInterval = -1
else
intTimeInterval = int(now - dtmValue)
end if
err.number = 0
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' 注意!!!
'用户需要将sha改成自己AD的NetBIOS名称
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'获得密码最长时间
Set objDomainNT = GetObject("WinNT://sha")
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
'如果密码最长时间没有设置,提示用户并退出脚本运行
If intMaxPwdAge < 0 Then
WScript.Echo "The Maximum Password Age is set to 0 in the " & _
"domain. Therefore, the password does not expire."
Wscript.quit
Else
'否则,如果用户账户最后一次修改密码距今时间超过密码最长期限,
'显示上次密码已过期
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
If intTimeInterval >= intMaxPwdAge Then
OutText=objUserLDAP.Get("sAMAccountName") & "," & DateValue(dtmValue) & " " & _
TimeValue(dtmValue) & "," & int(now - dtmValue) & ",密码过期!,," & AccountControl
txtStreamOut.WriteLine OutText
Else
If intTimeInterval = -1 Then
OutText=objUserLDAP.Get("sAMAccountName") & ",下次登陆修改密码,,,," & AccountControl
txtStreamOut.WriteLine OutText
Else
'否则,显示密码有效时间
OutText=objUserLDAP.Get("sAMAccountName") & "," & DateValue(dtmValue) & " " & _
TimeValue(dtmValue) & "," & int(now - dtmValue) & "," & _
DateValue(dtmValue + intMaxPwdAge) & "," & int((dtmValue + intMaxPwdAge) - now) & "," & _
AccountControl
txtStreamOut.WriteLine OutText
End If
End If
End If
End If
objRecordSet.MoveNext
Loop
WScript.Echo "Please open " & OutFile & " to check user account password state."