Function
Script action returning locked-out and disabled users. The resulting table is stored in the variable %UsersTable%.
Deployment
This script action will typically be used in a delegation project with multiple forms to obtain a list a locked-out and disabled users. The result is stored in a variable in table format, containing rows and columns. To show these table data in a form, you have to use the generic form table of the Variable type. This action requires the use of an initial project.
Properties
Property
Name Description Typical setting Remarks
Active Directory Root
If set to "Yes", a binding will be established to the root of the Active directory for the currently logged on user or service. If set to "Yes", you need to set the LDAP path property to "No".
LDAP path The full LDAP name of the organizational unit, container or domain that must be used for the search (e.g.
LDAP://OU=Helpdesk,DC=t4edoc,DC=com
If you only want to obtain a list of user objects in a specific OU, then set the property Active Directory root to "No". Include all
users Includes all user accounts in the search. When set to "Yes", the properties "Include locked out accounts" and "Include
disabled accounts" are ignored.
Include locked out accounts
If set to "Yes", it will include user accounts
that are locked out
Include disabled accounts
If set to "Yes", it will include user accounts
that are currently disabled
User table Output is
stored in %UsersTable%
For each returned user object in the table %UsersTable%, the following columns are included:
Column Description
Name User name
Description Description to display for an object
Locked out "Yes" or "No"
Locked out period [hh:mm:ss] Specifies the length of time a user is locked out after exceeding the maximum number of invalid password attempts.
29
Disabled "Yes" or "No"
Password expired If "Yes", the password has expired. If "No", the password has not expired. Password expires The value is either Expired for those accounts for which Password expired is
"Yes" or the number of days before the password will expire.
SAM account name The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.
Object distinguished name Same as the Distinguished Name for an object.
User account control flags Flags that control the behaviour of the user account (e.g. user cannot change password, user is currently locked out, no password required, password never expires, user account is disabled, etc.). The values are given in decimals. If these are converted to hexidecimal values, you can verify which flags are set for the user. Some examples:
514 - Disabled users
512 - Default account type that represents a typical user
See the table under UserAccountControl flags for a full overview.
User lockout time The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
Password last set time The date and time that the password for this account was last changed. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.
UserAccountControl flags
This attribute value can be zero or a combination of one or more of the following values:
Hexadecimal value Description
0x00000001 The logon script is executed.
0x00000002 The user account is disabled.
0x00000008 The home directory is required.
0x00000010 The account is currently locked out.
0x00000020 No password is required.
0x00000040 The user cannot change the password.
0x00000080 The user can send an encrypted password.
0x00000200 This is a default account type that represents a typical
user.
0x00000800 This is a permit to trust account for a system domain that
30
0x00001000 This is a computer account for a computer that is a
member of this domain.
0x00002000 This is a computer account for a system backup domain
controller that is a member of this domain.
0x00010000 The password for this account will never expire.
0x00020000 This is an MNS logon account.
0x00040000 The user must log on using a smart card.
0x00080000 The service account (user or computer account), under
which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000 The security context of the user will not be delegated to a
service even if the service account is set as trusted for Kerberos delegation.
0x00200000 Restrict this principal to use only Data Encryption
Standard (DES) encryption types for keys.
0x00400000 This account does not require Kerberos pre-
authentication for logon.
0x00800000 The user password has expired. This flag is created by the
system using data from the Pwd- Last-Set attribute and the domain policy.
0x01000000 The account is enabled for delegation. This is a security-
sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
If you want to use the content of the variable %UsersTable% in a generic table, you need to set up a generic table of the Variable type. In the setup procedure, you can select the column template User info which includes the above mentioned columns.
31