UserDump v1.11
thor@hammerofgod.com

The purpose of this app is to illustrate inconsistencies in the MS implementation 
of the RestrictAnonymous registry setting.

Usage:
Userdump \\servername Knownaccount MaxQueries

Where:
\\servername is the domain controller, or member server.

Knownaccount is any known user, group, or machine account.  
Guest, Guests, Domain Users always exist and are good ones to use.  
I just use guest.  I could have explicitly set this value, but I have found it 
useful to be able to specify a value where you query a member server that 
is part of a domain, and guest is proxied out to the dc In these cases, 
you might want to use the MACHINE$ account to verify that you are dumping SIDS for 
the memberserver domain, and not the dc.

MaxQueries is the max number of users to check for. Defaults to SID 500 and 1001.  
See below.

Basically, this guy uses 3 API calls, all from the net32api.lib:  
LookupAccountSid, LookupAccountName, and NetUserGetInfo. 
The Knownaccount value is used to lookup the domain sid (and all 
sub-authorities) via LookupAccountName- this sid is broken out into 
sub-authorities and stored in an array.  The last SID authority, 
representing the userid, is then forcibly replaced with 500 (the admin user SID).  
The username of the newly created admin sid is then looked up via 
LookupAccountSid to return the actual username, which is the required 
variable for NetUserGetInfo, which dumps all kinds of info out.

If you leave MaxQueries blank, UserDump assumes SID 500 and 1001.
i.e., We lookup the knownaccount once, break out the sid, construct SID 
500, dump the info, construct SID 1001, and dump that users info.  
Any other value in MaxQueries will loop through, starting with 1001 through 
1001+MaxQueries. 
i.e. userdump \\server guest 1000 will do the following:

Lookup domain sid
Lookup user 500 (Note that userdump ALWAYS does this first)
Dump 500s info
Lookup 1001->dump info
Lookup 1002->dump info
Lookup 1003->dump info

Lookup 1999->dump info

In this manner, you can dump every user in the domain if you specify 
a big enough value for MaxQueries.  If you do this, just redir to a file 
and view the output at your leisure.


The flags that UserDump checks in the UserInfo are:
Account Lockout.
Account Disabled.
User cannot change password.
Password never expires.
Smartcard required for interactive logon (Win2k).
Account is trusted for delegation (Win2k).
Account is sensitive and connot be delegated (Win2k).

All Dates, as well as Logon Hours, are at the controller, in GMT.

Go nuts!
