<!-- Written by Luke Powers, luke@lpsystems.net -->

<html><head><title>AD Lock Check</title></head><body>
<h1>AD Lockout Status</h1>
<?php

// Prevent page caching
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: Sat, 1 Jan 2000 00:00:00 GMT");

if(isset($_POST['username'])){
	// Get username to lookup but remove all but alphanumeric characters
	$account = preg_replace("/[^a-zA-Z0-9]+/", "", trim($_POST["username"]));
	$lockedout = 0;

	$adservers = array('adserver1.domain.local','adserver2.domain.local');
	$ldaprdn = 'domain' . "\\" . 'username'; // ldap rdn or dn
	$ldappass = 'password';  // associated password
	$searchdomain = "dc=domain,dc=local";

	foreach ($adservers as $adserver){	
		$ldapconn = ldap_connect($adserver)
		  or die("Failed to connect to $adserver");

		ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
		ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

		if ($ldapconn) {

			// binding to ldap server
			$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
	
			// verify binding
			if ($ldapbind) {
			
				// Verify user exsists
				$ver_ldapfilter = "(&(objectClass=user)(sAMAccountName=".$account."))";
				$ver_attributes = array('samaccountname');
				$ver_searchresult = ldap_search($ldapconn, $searchdomain, $ver_ldapfilter, $ver_attributes);
				$ver_info =  ldap_get_entries($ldapconn, $ver_searchresult);
				
				// If user does exsist lookup against AD
				if ($ver_info["count"]>=1){
					$ldapfilter = "(&(objectClass=user)(sAMAccountName=".$account.")(lockoutTime>=1))";
					$attributes = array('lockouttime', 'samaccountname', 'msds-user-account-control-computed', 'givenname');
					$searchresult = ldap_search($ldapconn, $searchdomain, $ldapfilter, $attributes);
					$info =  ldap_get_entries($ldapconn, $searchresult);
					// Incase result is 0
					if ($info["count"]>=1){
						// Loop through attributes
						for ($i=0; $i<$info["count"]; $i++) {
							$accname = $info[$i]["samaccountname"][0];
							$acclocked = $info[$i]["msds-user-account-control-computed"][0];
							// If account name is valid and locked status is 16 print info about lock
							if ($accname != "" && $acclocked == "16"){
								$lockedout = 1;
								echo "account " . $accname . " was locked out at ";
								$ctime = $info[$i]["lockouttime"][0] / 10000000 - 11644477200;
								$date = date("h:i:sa T m-d-Y", $ctime);
								echo "$date on AD server $adserver.<br />";
							}else{echo "$account is not locked out on AD server $adserver<br>";}
						
						}
					}else{ echo "$account is not locked out on AD server $adserver<br>";}
				} else { echo "<span style=\"color:red;\">User $account was not found on $adserver</span><br>";}
			} else {echo "LDAP bind failed... Something went horribly wrong. Contact admin@domain.local for assistance.";}
		}
	}
	ldap_unbind($ldapbind);
	if ($lockedout == 1){echo "<br> Please contact admin@domain.local to unlock your account.<br>";}else{echo "<br>";}
	echo "<FORM><INPUT TYPE=\"button\" onClick=\"history.back()\" VALUE=\"Search again\"></FORM>";

}else{
?>
    <form action="#" method="POST">
        <label for="username">Username: </label><input id="username" type="text" name="username" placeholder="Domain Username" /> 
        <input type="submit" name="submit" value="Submit" />
    </form>
    <h5>Note: Only alphanumeric text is accepted.</h5>
<?php } ?>    

</body>
</html>