VBScript program demonstrating an efficient way to retrieve the names of all users that are currently locked out. This program outputs the Distinguished Names of all locked out users. One method sometimes recommended is to retrieve all user objects where the value assigned to the lockoutTime attribute is greater than 0. The filter suggested is:


When an account is locked out (due to too many bad password attempts), the lockoutTime attribute is assigned a value corresponding to the current date and time (in UTC). The value is Integer8, meaning it is a 64-bit value representing the date and time as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. The account will be locked out for the lockoutDuration, which is an attribute of the domain. The lockoutDuration attribute of the domain object is also Integer8. Once the lockoutDuration has expired, the account is no longer locked out.

If the value of lockoutTime is 0 (zero), the account is not locked out. That's the logic behind the query filter above. However, when an account is locked out, the value is not reset to 0 until the user successfully logs into the domain. That means that the above filter will retrieve accounts that are no longer locked out, but the user has not yet logged in since the domain lockout duration expired.

The proper way to tell if an account is locked out is to add the value of the lockoutTime attribute to the domain lockoutDuration and compare to the current date and time. This program converts the domain lockoutDuration to minutes and subtracts this value from the current date and time. This results in the critical time in the past. Any accounts locked out after this time are still locked out. The program converts this date and time (in UTC) to the equivalent Integer8 value and queries for all user accounts with a value of lockoutTime greater than this value.

The program should be run at a command prompt with the cscript host. The output can be redirected to a text file. For example, you can run the program with the following command:

cscript //nologo FindLockedOutUsers.vbs > output.txt

FindLockedOutUsers.txt <<-- Click here to view or download the program

A PowerShell script with the same functionality is linked below:

PSFindLockedOutUsers.txt <<-- Click here to view or download the program