Auditing userAccountControl with VbScript

This VbScript searches the current domain for all users with “User cannot change password”, “Password never expires”, or “Trusted for delegation” set, the results of the search are written to a tab delimited text file.

' UserAccountControl.vbs
'
' Script to report User Account Control Flag usage within the current domain. '
' Author: Chris Dent
' Modified: 06/03/2008

Option Explicit

Const REPORT_FILE = "Users.txt"

' userAccountControl flag values
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000

Const ADS_SCOPE_SUBTREE = 2
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6

Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

'
' Main Code
'

Dim objFileSystem, objFile, objConnection, objCommand
Dim objRootDSE, objRecordSet, objUser
Dim objSD, objDACL, objACE
Dim strPwdCantChange, strPwdDontExpire, strTrustedForDelegation
Dim strDisplayName, strUsername, strDN
Dim intUAC 
Dim booList

' Create report file
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile(REPORT_FILE, 2, True, 0)

' Write header
objFile.WriteLine "Display Name" & VbTab & "Username" & VbTab & _
    "Distinguished Name" & VbTab & "Password Cannot Change" & _
    VbTab & "Password Never Expires" & VbTab & "Trusted for Delegation"
    
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

' Configure search
Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT displayName, distinguishedName, " & _
    "sAMAccountName, userAccountControl, nTSecurityDescriptor FROM 'LDAP://" & _
    objRootDSE.Get("defaultNamingContext") & _
    "' WHERE objectClass='user' AND objectCategory='person'"
Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
    strPwdCantChange = "False" : strPwdDontExpire = "False"
    strTrustedForDelegation = "False"
    booList = False
    
    intUAC = objRecordSet.Fields("userAccountControl")
    ' Check for Password Cannot Change Flag
    Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName"))
    
    Set objSD = objUser.Get("nTSecurityDescriptor")
    Set objDACL = objSD.DiscretionaryAcl
    For Each objACE in objDACL
        If objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT And _
            LCase(objACE.ObjectType) = CHANGE_PASSWORD_GUID Then 
            
            strPwdCantChange = "True" : booList = True
            Exit For
        End If
    Next
    Set objDACL = Nothing
    Set objSD = Nothing
    
    Set objUser = Nothing
    
    ' Check for password never expires
    If intUAC And ADS_UF_DONT_EXPIRE_PASSWD Then
        strPWDDontExpire = "True" : booList = True
    End If
    
    ' Check for trusted for delegation
    If intUAC And ADS_UF_TRUSTED_FOR_DELEGATION Then
        strTrustedForDelegation = "True" : booList = True
    End If
    
    If booList = True Then
        strDisplayName = objRecordSet.Fields("displayName")
        strUsername = objRecordSet.Fields("sAMAccountName")
        strDN = objRecordSet.Fields("distinguishedName")
        
        objFile.WriteLine strDisplayName & VbTab & strUsername & VbTab & _
            strDN & VbTab & strPwdCantChange & VbTab & strPwdDontExpire & _
            VbTab & strTrustedForDelegation
    End If
    
    objRecordSet.MoveNext
Wend

objConnection.Close

Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Auditing userAccountControl with VbScript
Share this