• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

Script to search for smart card enabled accounts

I am wondering how to develop a script to search the Active Directory for accounts that have "Smart Required for Interactive Login" set?

I need to be able to run a report on how many accounts and which accounts are required to use smart cards.
0
bbanis2k
Asked:
bbanis2k
  • 5
  • 4
1 Solution
 
RobSampsonCommented:
Hi, it looks like you could use something like this to report on that:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/may05/hey0512.mspx

But instead of using bit value 2 (which is Account Disabled), it may be bit value 262144, or 40000, but I'd have to test that....
http://msdn2.microsoft.com/en-us/library/ms680832.aspx
http://support.microsoft.com/kb/305144/

Regards,

Rob.
0
 
bbanis2kAuthor Commented:
Can you test it?  I'm out of the office right now or I would.  Thanks!
0
 
RobSampsonCommented:
Yep, OK, I just tested it, this seems to work fine:

'==============
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
    strPath = Wscript.ScriptFullName
    strCommand = "%comspec% /k cscript  """ & strPath & """"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run(strCommand), 1, True
    Wscript.Quit
End If

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

objCommand.CommandText = _
    "<LDAP://dc=maroondah,dc=local>;(&(objectCategory=User)" & _
        "(userAccountControl:1.2.840.113556.1.4.803:=262144));adsPath;Subtree"  
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields("AdsPath").Value
    objRecordSet.MoveNext
Loop
'=================

Regards,

Rob.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
bbanis2kAuthor Commented:
Here are a couple of questions:

Where does it create/store the report?

How can I specify my domain and OU?  For example: internal.johnson.dom  My Ou would we Dallas then Users.

Thanks!
Brandon
0
 
RobSampsonCommented:
Hi, sorry the original script didn't output to any file.  This one will output to a CSV file, and there's also a description in there to point to a specific OU:

'==============
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
    strPath = Wscript.ScriptFullName
    strCommand = "%comspec% /k cscript  """ & strPath & """"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run(strCommand), 1, True
    Wscript.Quit
End If

' == DOMAIN SPECIFICATION ==
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("defaultNamingContext")
'or if that's not the correct domain, use
'strDomain = "DC=internal,DC=johnson,DC=dom"

' == OU SPECIFICATION ==
' Specify the OU path in backwards order, for example, for:
' domain.local\Sites\Main Office\Users
' you would use
' strOUPath = "OU=Users,OU=Main Office, OU=Sites"
strOUPath = ""
If strOUPath <> "" Then
      If Right(strOUPath, 1) <> "," Then strOUPath = strOUPath & ","
End If

' == OUTPUT FILE NAME ==
strOutputFile = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "Users_With_SmartCard_Enabled.csv"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

'objCommand.CommandText = _
'    "<LDAP://" & strOUPath & strDomain & ">;(&(objectCategory=User)" & _
'        "(userAccountControl:1.2.840.113556.1.4.803:=262144));adsPath;Subtree"  

objCommand.CommandText = _
    "<LDAP://" & strOUPath & strDomain & ">;(&(objectCategory=User));adsPath;Subtree"  

Set objRecordSet = objCommand.Execute

strDetails = """Full Name"",""ADS Path"",""SmartCard Required"""
If Not objRecordSet.EOF Then
      objRecordSet.MoveFirst
      Do Until objRecordSet.EOF
          strADsPath = objRecordSet.Fields("AdsPath").Value
          Wscript.Echo strADsPath
          Set objUser = GetObject(strADsPath)
          intUserAC = objUser.Get("userAccountControl")
          
            If intUserAC And 262144 Then
                  WScript.Echo objUser.DisplayName & " - SmartCard ENABLED"
                  strDetails = strDetails & VbCrLf & """" & objUser.DisplayName & """,""" & strADsPath & """,""YES"""
            Else
                  WScript.Echo objUser.DisplayName & " - SmartCard DISABLED"
                  strDetails = strDetails & VbCrLf & """" & objUser.DisplayName & """,""" & strADsPath & """,""NO"""
            End If

          objRecordSet.MoveNext
      Loop
Else
      WScript.Echo "No users were found."
End If

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutputFile = objFSO.CreateTextFile(strOutputFile, True)
objOutputFile.Write strDetails
objOutputFile.Close
Set objOutputFile = Nothing
Set objFSO = Nothing

WScript.Echo ""
WScript.Echo "Output file has been created at " & strOutputFile
'=================

Regards,

Rob.
0
 
bbanis2kAuthor Commented:
Great!!!  Thank you for your time.  I will give this a shot first thing tomorrow!!
0
 
RobSampsonCommented:
No problem.  Let me know how you go.

Regards,

Rob.
0
 
bbanis2kAuthor Commented:
I'm very impressed with your abilities!!!  This worked perfectly.
0
 
RobSampsonCommented:
Thanks bbanis2k.  Much appreciated.  I'm learning alot doing things like this.....

Regards,

Rob.
0
 
vhaperbaugubCommented:
Hello - I'm trying to use the script, it runs but then I get this error:

C:\SmartCardCheck\SmartCard.vbs(53, 11) Active Directory: The directory property
 cannot be found in the cache.

Is there a fix?


Thanks
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now