Exporting AD users and its info to a text file

From Tech-Wiki
Revision as of 15:16, 14 July 2016 by Fabricio.Lima (Talk | contribs)

Jump to: navigation, search


This VBScript export the users list from Active Directory and also exports several user's details such as Full name, Telephone, whether member of Domain Admin, expired/disabled account and so on.

On Error Resume Next

Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const FourthOctet = 1
Const ThirdOctet = 256
Const SecondOctet = 65536
Const FirstOctet = 16777216
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Set rootDSE=GetObject("LDAP://RootDSE")
domainContainer = rootDSE.Get("defaultNamingContext")
Set domainObject = GetObject("LDAP://" & domainContainer)

Set fs = CreateObject ("Scripting.FileSystemObject")
Set outFile = fs.CreateTextFile ("C:\AD.TXT", ForWriting, True)

' Printing Header
outFile.WriteLine  "Login;FullName;Description;Office;e-mail;Telephone;LoginScript;LastLogon;Status;LastPasswordSet;Dial-In;PasswordNeverExpires;Admin Group;"

'Starting recursion
ExportUsers(domainObject)

outFile.Close
WScript.Quit

Function WriteReport (strUserDN)

	On Error Resume Next
 	Set objUser = GetObject ("LDAP://" & strUserDN)
	'outFile.WriteLine objUser.sAMAccountName & ";" & objUser.userPrincipalName & ";" & objUser.FullName & ";" & _
	'	objUser.emailAddress & ";" & objUser.ScriptPath & ";" & LastLogon (strUserDN) & ";" & isDisabled (strUserDN) & ";" & _
	'	DialIn (strUserDN) & ";" & MemberOf (strUserDN) & ";"
        outFile.Write objUser.sAMAccountName
        outFile.Write ";"
        outFile.Write objUser.FullName
        outFile.Write ";"
        outFile.Write objUser.Description
        outFile.Write ";"
        outFile.Write objUser.physicalDeliveryOfficeName
        outFile.Write ";"
        outFile.Write objUser.emailAddress
        outFile.Write ";"
        outFile.Write objUser.TelephoneNumber
        outFile.Write ";"
        outFile.Write UCase (objUser.ScriptPath)
        outFile.Write ";"
        outFile.Write LastLogon (strUserDN)
        outFile.Write ";"
        outFile.Write isDisabled (strUserDN)
        outFile.Write ";"
        outFile.Write objUser.PasswordLastChanged
        outFile.Write ";"
        outFile.Write DialIn (strUserDN)
        outFile.Write ";"
        outFile.Write PasswordNeverExpires (strUserDN)
        outFile.Write ";"
        outFile.Write MemberOf (strUserDN) & ";" & vbcrlf

End Function

Sub ExportUsers(oObject)

	On Error Resume Next
	For Each oUser in oObject
		Select Case oUser.Class
			Case "user"
				WriteReport (oUser.DistinguishedName)
			Case "organizationalUnit" , "container"
				If UsersinOU (oUser) then
					ExportUsers(oUser)
				End if
		End select
	Next

End Sub

Function UsersinOU (oObject)

	On Error Resume Next
	UsersinOU = False
	For Each oUser in oObject
		Select Case oUser.Class
			Case "organizationalUnit" , "container"
				UsersinOU = UsersinOU(oUser)
			Case "user"
				UsersinOU = True
		End select
	Next

End Function


' Check if a User Account is disabled or not
Function isDisabled (strUserDN)

	On Error Resume Next
	Set objUser = GetObject ("LDAP://" & strUserDN)
	If objUser.AccountDisabled = TRUE Then
    	isDisabled = "Disabled"
	Else
    	isDisabled = "Enabled"
	End If

End Function


' List Last Login Time Stamp for a User Account
Function LastLogon (strUserDN)

	On Error Resume Next
	Set objUser = GetObject ("LDAP://" & strUserDN)
	'Set objLogon = objUser.Get("lastLogonTimestamp")  'Windows 2003 functional level
	Set objLogon = objUser.Get("lastLogon")
	intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart
	intLogonTime = intLogonTime / (60 * 10000000)
	intLogonTime = intLogonTime / 1440
	LastLogon = intLogonTime + #1/1/1601#

End Function


' Check if Password Never Expires
Function PasswordNeverExpires (strUserDN)
	
	On Error Resume Next
	Set objUser = GetObject ("LDAP://" & strUserDN)
	intUAC = objUser.Get("userAccountControl")
	
	PasswordNeverExpires = "Expires soon"
	If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
		PasswordNeverExpires = "Nerver Expires"
	'Else
		'objUser.Put "userAccountControl", intUAC XOR _
		'    ADS_UF_DONT_EXPIRE_PASSWD
		'objUser.SetInfo
		'WScript.Echo "Password never expires is now enabled"
	End If

End Function


' List the Dial-In Property Configuration Settings for a User Account
Function DialIn (strUserDN)

	On Error Resume Next
	Set objUser = GetObject ("LDAP://" & strUserDN)
	blnMsNPAllowDialin = objUser.Get("msNPAllowDialin")
	If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
	    DialIn = "Control access through Remote Access Policy"
	    Err.Clear
	Else
	    If blnMsNPAllowDialin = True Then
        	DialIn = "Allow Dial-in"
    	Else
	        DialIn = "Deny Dial-in"
	    End If
	End If

End Function


' Check if the user is member of Administrators, Domain Admins or Enterprise Admins
Function MemberOf (strUserDN)

	On Error Resume Next
	Set objUser = GetObject ("LDAP://" & strUserDN)
	objMemberOf = objUser.GetEx("memberOf")
	For Each objGroup in objMemberOf
                isAdmin = InStr(objGroup, "dmin")
		If isAdmin > 0 Then
		        strList = objGroup & "," & strList
		        'strList = strList & objGroup & vbCr
		End If
		'isAdmin = InStr(objGroup, "Administrators")
		'If isAdmin > 0 Then
		'	MemberOf = "Administrators"
		'End If
		'isAdmin = InStr(objGroup, "Domain Admins")
		'If isAdmin > 0 Then
		'	MemberOf = "Domain Admins"
		'End If
		'isAdmin = InStr(objGroup, "Enterprise Admins")
		'If isAdmin > 0 Then
		'	MemberOf = "Enterprise Admins"
		'End If
	Next
	MemberOf = strList

End Function