close
http://www.wisesoft.co.uk/scripts/vbscript_read_all_account_options_settings.aspx
CONST ADS_UF_PASSWD_CANT_CHANGE = &H40 CONST ADS_UF_DONT_EXPIRE_PASSWD = &H10000 CONST ADS_UF_PASSWORD_EXPIRED = &H800000 CONST ADS_UF_ACCOUNTDISABLE = &H02 CONST ADS_UF_ENCRYPTED_TEXT_PASSWD = &H80 CONST ADS_UF_SMARTCARD_REQUIRED = &h40000 CONST ADS_UF_ACCOUNT_TRUSTED = &H80000 CONST ADS_UF_ACCOUNT_SENSITIVE = &H100000 CONST ADS_UF_DES_ENCRYPTION = &H200000 CONST ADS_UF_KERBEROS_PREAUTH = &H400000 DIM objUser '<<<< Bind to the user object using the distinguished name >>>> SET objUser = GETOBJECT("LDAP://cn=test.3,cn=users,dc=wisesoft,dc=co,dc=uk") intUAC = objUser.GET("userAccountControl") wscript.echo intUAC IF objUser.GET("pwdLastSet").HighPart = 0 THEN message = message & "User must change password at next logon: TRUE" & vbcrlf ELSE message = message & "User must change password at next logon: FALSE" & vbcrlf END IF IF getUserCannotChangePWD(objUser) = TRUE THEN message = message & "User cannot change password: TRUE" & vbcrlf ELSE message = message & "User cannot change password: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_DONT_EXPIRE_PASSWD THEN message = message & "Password never expires: TRUE" & vbcrlf ELSE message = message & "Password never expires: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_ENCRYPTED_TEXT_PASSWD THEN message = message & "Store password using reversible encryption: TRUE" & vbcrlf ELSE message = message & "Store password using reversible encryption: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_ACCOUNTDISABLE THEN message = message & "Account Disabled: TRUE" & vbcrlf ELSE message = message & "Account Disabled: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_SMARTCARD_REQUIRED THEN message = message & "Smart Card is required for interactive logon: TRUE" & vbcrlf ELSE message = message & "Smart Card is required for interactive logon: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_ACCOUNT_TRUSTED THEN message = message & "Account is trusted for delegation: TRUE" & vbcrlf ELSE message = message & "Account is trusted for delegation: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_ACCOUNT_SENSITIVE THEN message = message & "Account is sensitive and cannot be delegated: TRUE" & vbcrlf ELSE message = message & "Account is sensitive and cannot be delegated: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_DES_ENCRYPTION THEN message = message & "Use DES encryption types for this account: TRUE" & vbcrlf ELSE message = message & "Use DES encryption types for this account: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_KERBEROS_PREAUTH THEN message = message & "Do not require Kerberos preauthentication: TRUE" & vbcrlf ELSE message = message & "Do not require Kerberos preauthentication: FALSE" & vbcrlf END IF IF intUAC AND ADS_UF_PASSWD_CANT_CHANGE THEN message = message & "User cannot change password: TRUE" & vbcrlf ELSE message = message & "User cannot change password: FALSE" & vbcrlf END IF wscript.echo message '<<<<< Function to return if user cannot change password has been set >>>>>> FUNCTION getUserCannotChangePWD(BYVAL objUser) CONST CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}" CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 ' Bind to the user security objects. SET objSecDescriptor = objUser.GET("ntSecurityDescriptor") SET objDACL = objSecDescriptor.discretionaryAcl FOR EACH objACE In objDACL IF UCASE(objACE.objectType) = UCASE(CHANGE_PASSWORD_GUID) THEN IF UCASE(objACE.Trustee) = "NT AUTHORITY\SELF" THEN IF objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT THEN getUserCannotChangePWD=False EXIT FUNCTION END IF END IF IF UCASE(objACE.Trustee) = "EVERYONE" THEN IF objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT THEN getUserCannotChangePWD=False EXIT FUNCTION END IF END IF END IF NEXT getUserCannotChangePWD=True END FUNCTION
文章標籤
全站熱搜
留言列表
