检查用户账户密码状态V2

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ForWriting = 2
Const E_ADS_Property_Not_Found = &h8000500D

Set fso = CreateObject("Scripting.FileSystemObject")

   
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

'用户需要将sha改成自己AD的DN名称
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select distinguishedName from " & _
        "'LDAP://DC=sha,DC=local' where objectClass ='user' and objectClass <>'computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

 

'设置输出结果，用户可以自行修改文件名称和路径
OutFile = "passstate.csv"
Set txtStreamOut = fso.OpenTextFile(OutFile,ForWriting,true)
'结果集的表头信息
txtStreamOut.WriteLine "帐户名称,上次修改时间,上次修改时间距今几天,下一次修改时间,密码有效时间,账户状态"

Do Until objRecordSet.EOF     

  
    LDAPUser="LDAP://" +objRecordSet.Fields("distinguishedName").Value

'获得用户帐号信息
 Set objUserLDAP = GetObject(LDAPUser)
intCurrentValue = objUserLDAP.Get("userAccountControl")
'根据控制位最后两位判断，如果最后两位是二进制10，说明账户被禁用
if (intCurrentValue and 3)=2 then
   AccountControl = "账户被禁用"
else 
   AccountControl = "账户已启用"
end if

'判断用户密码是否设置为永不过期
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
  OutText=objUserLDAP.Get("sAMAccountName") & ",密码永不过期,,,," & AccountControl
  txtStreamOut.WriteLine OutText
Else
'如果用户密码没有设置为永不过期，
'获得最后一次修改密码的时间，并计算最后一次修改密码距今的时间
  dtmValue = objUserLDAP.Passwordlastchanged
  if err.number = E_ADS_Property_Not_Found then
    intTimeInterval = -1
  else
    intTimeInterval = int(now - dtmValue)
  
  end if
   err.number = 0

 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                              注意！！！
'用户需要将sha改成自己AD的NetBIOS名称 
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'获得密码最长时间
  Set objDomainNT = GetObject("WinNT://sha")
  intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")

'如果密码最长时间没有设置，提示用户并退出脚本运行
  If intMaxPwdAge < 0 Then
    WScript.Echo "The Maximum Password Age is set to 0 in the " & _
      "domain. Therefore, the password does not expire."
    Wscript.quit
  Else
'否则，如果用户账户最后一次修改密码距今时间超过密码最长期限，
'显示上次密码已过期 
    intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
    If intTimeInterval >= intMaxPwdAge Then
    OutText=objUserLDAP.Get("sAMAccountName") & "," & DateValue(dtmValue) & " " & _
    TimeValue(dtmValue) & "," & int(now - dtmValue) & ",密码过期!,," & AccountControl
    txtStreamOut.WriteLine OutText
    Else
     If intTimeInterval = -1 Then
       OutText=objUserLDAP.Get("sAMAccountName") & ",下次登陆修改密码,,,," & AccountControl
       txtStreamOut.WriteLine OutText
     Else
'否则，显示密码有效时间
       OutText=objUserLDAP.Get("sAMAccountName") & "," & DateValue(dtmValue) & " " & _
       TimeValue(dtmValue) & "," & int(now - dtmValue) & "," & _
       DateValue(dtmValue + intMaxPwdAge) & "," & int((dtmValue + intMaxPwdAge) - now) & "," & _
       AccountControl
       txtStreamOut.WriteLine OutText
     End If
    End If
  End If
End If
    objRecordSet.MoveNext
Loop

WScript.Echo "Please open " & OutFile & " to check user account password state."