Bulk un-lock domain IDs


W32/conficker.worm.gen.a has caused 9xx domain IDs locked out. find a script to check the no of locked IDs and create a event in OS if hit the threadhold (.i.e 50).
 
chk-lockid.cmd
@echo off
set src=e:ATScriptsunlock
set logfile=e:ATScriptsunlockchk-lockedID-%date:~-10,2%%date:~-7,2%.log
cd %src%
echo.  >> %logfile%
echo —————————— >> %logfile%
echo.  >> %logfile%
date /t   >> %logfile%
time /t   >> %logfile%
cscript %src%un-lock.vbs >> %logfile%
set src=
set LogFile=
@echo on
 
un-lock.vbs
Option explicit
dim oShell,oExecObject
dim cn,cmd,rs,objRoot,strFilter,namingContext,query,objUser
‘ Get the default naming context to be used in query later,  e.g. dc=wisesoft,dc=co,dc=uk
set objRoot = getobject("
LDAP://RootDSE")
namingContext = objRoot.get("defaultNamingContext")
‘ Filter all users with a lockout time (*) that is not equal to zero
‘ – some will be locked out, others will have been unlocked automatically by the
‘ domain lockout duration policy. The lockout time will be set to zero after a
‘ succesful logon for these users and also after execution of this script.
‘ Although it isn’t necesary to unlock these users – you would have to compare
‘ the lockouttime with the current time and the lockout duration policy for the
‘ domain (requires conversion from 64bit numbers)
strFilter = "(&(objectCategory=person)(objectClass=user)(lockouttime=*)(!lockoutTime=0)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
‘ Query  will return the adspath of the user (we can create a user object from this) and will search all
‘ OU’s within the context specified (the domain)
query = "<LDAP://" & namingContext & ">;" & strFilter & ";adspath;subtree"
set cmd = createobject("ADODB.Command")
set cn =createobject("ADODB.Connection")
set rs = createobject("ADODB.Recordset")
cn.open "Provider=ADsDSOObject;"
cmd.activeconnection = cn
cmd.commandtext = query
‘ Bypass 1000 record limitation ****
cmd.properties("page size")=1
set rs = cmd.execute
while rs.eof <> true and rs.bof <> true
 set objUser = getobject(rs(0))
 objuser.put "lockoutTime", 0
 wscript.echo "ID = " & objuser.sAMAccountName & vbTab & " CN = " & objuser.cn
 ‘ objUser.setinfo
 rs.movenext
wend
wscript.echo "locked " & rs.recordcount & " accounts"
If rs.recordcount => 30 Then
 Set oShell = CreateObject("WScript.Shell")
 Set oExecObject = oShell.Exec("cmd /c eventcreate /ID 301 /SO Scripts /L Application /T Error /D ""Summary total of "& rs.recordcount &" IDs be locked out  """)
End If
 
Advertisements
This entry was posted in Scripts. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s