Re: Bulk unlock user accounts
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 8 Jan 2009 10:55:29 -0600
"John Renkar" <jrenkar@xxxxxxxxxxx> wrote in message
news:uolclhacJHA.1532@xxxxxxxxxxxxxxxxxxxxxxx
We have been hit by the W32.Downadup.B virus. While we are removing it
from our network, our users are bing locked out. I patched together the
following script from some sample on the Microsoft site. It is not
working. Any suggestions as to what is wrong and how to get it to work?
*********
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT * FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objUser = GetObject ("LDAP://cn="; & objRecordSet.Fields("Name").Value
& ",dc=NA,dc=fabrikam,dc=com")
objUser.IsAccountLocked = False
objUser.SetInfo
objRecordSet.MoveNext
Loop
*********
I assume you substituted the DNS name of your domain for
"dc=fabrikam,dc=com". You should specify the specific attributes you want to
retrieve. It makes more sense to retrieve distinguishedName. Also, the
filter should be "objectCategory = 'person' and objectClass = 'user'". For
example:
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=fabrikam,dc=com' " _
& "WHERE objectCategory = 'person' AND objectClass = 'user'"
Then when you bind to the user object:
Set objUser = GetObject("LDAP://"; &
objRecordset.Fields("distinguishedName").Value)
Finally, I would recommend not using "On Error Resume Next" throughout the
script. It makes troubleshooting very difficult. The only part that might
raise an error is where the accounts are unlocked (you may lack permission).
I would suggest using LDAP syntax. For example this should work:
==========
Option Explicit
Dim objRootDSE, strDNSDomain, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, objUser
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoRecordset = CreateObject("ADODB.Recordset")
adoRecordset.ActiveConnection = adoConnection
' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"
' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
adoRecordset.Source = strQuery
adoRecordset.Open
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
strDN = Replace(strDN, "/", "\/")
Set objUser = GetObject("LDAP://"; & strDN)
On Error Resume Next
objUser.IsAccountLocked = False
objUser.SetInfo
If (Err.Number <> 0) Then
Wscript.Echo "Unable to unlock " & strDN
End If
On Error GoTo 0
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- References:
- Bulk unlock user accounts
- From: John Renkar
- Bulk unlock user accounts
- Prev by Date: Script: read a registry key
- Next by Date: I need your help.
- Previous by thread: Bulk unlock user accounts
- Next by thread: Script: read a registry key
- Index(es):
Relevant Pages
|
