Hack 28 Get User Account Information

figs/moderate.gif figs/hack28.gif

Need to find information about user accounts on a machine? Use this handy script to do it fast.

This script lets you quickly query a Windows 2000 (or later) machine to determine what user accounts are present, whether local accounts in the SAM database or domain accounts in Active Directory. It will output a list of accounts, giving the following information for each account:

  • Username of user

  • Full name of user

  • Account lockout status

  • Whether the user is allowed to change the password

  • Whether the account is nonexpiring or not

The Code

To use the script, simply type it into Notepad (with Word Wrap turned off) and save it with a .vbs extension as GetAccountInfo.vbs:

ComputerName = localhost



winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//"& ComputerName &""



Set UserSet = GetObject( winmgmt1 ).InstancesOf ("Win32_UserAccount")



for each User in UserSet

WScript.Echo "==============================================="

WScript.Echo "Information for " & User.Name

WScript.Echo "The full username for the specified computer is: " & _

User.FullName

WScript.Echo "Account Locked? " & User.Lockout

WScript.Echo "Password can be changed?: " & User.PasswordChangeable

WScript.Echo "Password is expirable: " & User.PasswordExpires 

WScript.Echo "==============================================="

Next

Running the Hack

Here's some typical output when the script is run locally on a Windows 2000 domain controller. To avoid getting the series of dialog boxes that would appear if you ran the script using Wscript.exe, use Cscript.exe to run it from the command-line instead:

C:\>cscript.exe C:\MyScripts\GetAccountInfo.vbs

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.



===============================================

Information for Administrator

The full username for the specified computer is:

Account Locked? False

Password can be changed?: True

Password is expirable: False

===============================================

===============================================

Information for Guest

The full username for the specified computer is:

Account Locked? False

Password can be changed?: False

Password is expirable: False

===============================================

===============================================

Information for jsmith

The full username for the specified computer is: Jane Smith

Account Locked? False

Password can be changed?: True

Password is expirable: False

===============================================

===============================================

Information for bsmith

The full username for the specified computer is: Bob Smith

Account Locked? False

Password can be changed?: True

Password is expirable: True

===============================================

The output continues for the remaining accounts on the system.

Hacking the Hack

You can easily modify the script to get user information from a remote computer instead of from the local computer on which the script is running. This is useful when you want to run the script from an administrator workstation instead of interactively on a domain controller.

Simply change this line:

ComputerName = localhost

to this:

ComputerName = InputBox("Enter the name of the computer you wish to query")

The script will prompt you with a dialog box (see Figure 3-3) for the name of the remote computer whose accounts you want to query. You can specify the NetBIOS name, DNS name, or IP address of the remote machine, as long as your currently logged-on account has administrative privileges on the remote machine.

Figure 3-3. Querying user account information on a remote computer
figs/wsh_0303.gif

?Rod Trent