Martin Chang的部落格

http://www.wisesoft.co.uk/scripts/vbscript_read_all_account_options_settings.aspx

CONST ADS_UF_PASSWD_CANT_CHANGE = &H40
CONST ADS_UF_DONT_EXPIRE_PASSWD = &H10000
CONST ADS_UF_PASSWORD_EXPIRED = &H800000
CONST ADS_UF_ACCOUNTDISABLE = &H02
CONST ADS_UF_ENCRYPTED_TEXT_PASSWD = &H80
CONST ADS_UF_SMARTCARD_REQUIRED = &h40000
CONST ADS_UF_ACCOUNT_TRUSTED = &H80000
CONST ADS_UF_ACCOUNT_SENSITIVE = &H100000
CONST ADS_UF_DES_ENCRYPTION = &H200000
CONST ADS_UF_KERBEROS_PREAUTH = &H400000

DIM objUser
'<<<< Bind to the user object using the distinguished name >>>>
SET objUser = GETOBJECT("LDAP://cn=test.3,cn=users,dc=wisesoft,dc=co,dc=uk")

intUAC = objUser.GET("userAccountControl")
wscript.echo intUAC

IF objUser.GET("pwdLastSet").HighPart = 0 THEN
	message = message & "User must change password at next logon: TRUE" & vbcrlf
ELSE
	message = message & "User must change password at next logon: FALSE" & vbcrlf
END IF

IF getUserCannotChangePWD(objUser) = TRUE THEN
	message = message & "User cannot change password: TRUE" & vbcrlf
ELSE
	message = message & "User cannot change password: FALSE" & vbcrlf
END IF
IF intUAC AND ADS_UF_DONT_EXPIRE_PASSWD THEN
	message = message & "Password never expires: TRUE" & vbcrlf
ELSE
	message = message & "Password never expires: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_ENCRYPTED_TEXT_PASSWD THEN
	message = message & "Store password using reversible encryption: TRUE" & vbcrlf
ELSE
	message = message & "Store password using reversible encryption: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_ACCOUNTDISABLE THEN
	message = message & "Account Disabled: TRUE" & vbcrlf
ELSE
	message = message & "Account Disabled: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_SMARTCARD_REQUIRED THEN
	message = message & "Smart Card is required for interactive logon: TRUE" & vbcrlf
ELSE
	message = message & "Smart Card is required for interactive logon: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_ACCOUNT_TRUSTED THEN
	message = message & "Account is trusted for delegation: TRUE" & vbcrlf
ELSE
	message = message & "Account is trusted for delegation: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_ACCOUNT_SENSITIVE THEN
	message = message & "Account is sensitive and cannot be delegated: TRUE" & vbcrlf
ELSE
	message = message & "Account is sensitive and cannot be delegated: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_DES_ENCRYPTION THEN
	message = message & "Use DES encryption types for this account: TRUE" & vbcrlf
ELSE
	message = message & "Use DES encryption types for this account: FALSE" & vbcrlf
END IF

IF intUAC AND ADS_UF_KERBEROS_PREAUTH THEN
	message = message & "Do not require Kerberos preauthentication: TRUE" & vbcrlf
ELSE
	message = message & "Do not require Kerberos preauthentication: FALSE" & vbcrlf	
END IF

IF intUAC AND ADS_UF_PASSWD_CANT_CHANGE THEN
	message = message & "User cannot change password: TRUE" & vbcrlf
ELSE
	message = message & "User cannot change password: FALSE" & vbcrlf
END IF

wscript.echo message


'<<<<< Function to return if user cannot change password has been set >>>>>>
FUNCTION getUserCannotChangePWD(BYVAL objUser)

	CONST CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
	CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
	' Bind to the user security objects.
	SET objSecDescriptor = objUser.GET("ntSecurityDescriptor")
	SET objDACL = objSecDescriptor.discretionaryAcl

	FOR EACH objACE In objDACL
  		IF UCASE(objACE.objectType) = UCASE(CHANGE_PASSWORD_GUID) THEN
    			IF UCASE(objACE.Trustee) = "NT AUTHORITY\SELF" THEN
      				IF objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT THEN
        				getUserCannotChangePWD=False
					EXIT FUNCTION
      				END IF
    			END IF
    			IF UCASE(objACE.Trustee) = "EVERYONE" THEN
      				IF objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT THEN
        				getUserCannotChangePWD=False
					EXIT FUNCTION
      				END IF
    			END IF
  		END IF
	NEXT

    	getUserCannotChangePWD=True
END FUNCTION