filter to show disabled accounts

Discussion in 'Microsoft Windows 2000 Active Directory' started by rbrandon@fmcg.com, Nov 5, 2003.

  1. Guest

    Is it possible to set a filter, use the find command, or
    run an LDAP query, to output only the user accounts that
    are disabled?

    Thanks in advance,
    Rob
     
    , Nov 5, 2003
    #1
    1. Advertisements

  2. There is a sample script that does this at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG108.asp

    --
    Tim Hines, MCSE, MCSA
    Windows 2000 Directory Services

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "" <> wrote in message
    news:035901c3a3ef$141d1f70$...
    > Is it possible to set a filter, use the find command, or
    > run an LDAP query, to output only the user accounts that
    > are disabled?
    >
    > Thanks in advance,
    > Rob
     
    Tim Hines [MSFT], Nov 5, 2003
    #2
    1. Advertisements

  3. Jeremy Guest

    You can also use csvde to export the useraccountcontrol values to a csv and
    then join those values in access or SQL with a reference table.

    Example Export:
    Csvde -f C:\mbx_publicDelegates.csv -s dc1.domain.com -b user domain
    P@$$word -u -d "DC=domain,DC=com" -r
    "(&(objectClass=User)(ObjectCategory=Person))" -l "cn, distinguishedName,
    sAMAccountName, userAccountControl, userPrincipalName, uSNChanged,
    whenChanged, whenCreated"''

    You can leave out the -u if you do not want Unicode, leave out the -b if you
    are on a domain member machine, leave off the " " on the -l (attributes) if
    you do not use spaces after the attribute names.

    Reference Table: First line is the header row.

    UserAccountControl_Num,Account_Status
    512,Account: Enabled
    514,Account: ACCOUNTDISABLE
    528,Account: Enabled - LOCKOUT
    530,Account: ACCOUNTDISABLE - LOCKOUT
    544,Account: Enabled - PASSWD_NOTREQD
    546,Account: ACCOUNTDISABLE - PASSWD_NOTREQD
    560,Account: Enabled - PASSWD_NOTREQD - LOCKOUT
    640,Account: Enabled - ENCRYPTED_TEXT_PWD_ALLOWED
    2048,Account: INTERDOMAIN_TRUST_ACCOUNT
    2080,Account: INTERDOMAIN_TRUST_ACCOUNT - PASSWD_NOTREQD
    4096,Account: WORKSTATION_TRUST_ACCOUNT
    8192,Account: SERVER_TRUST_ACCOUNT
    66048,Account: Enabled - DONT_EXPIRE_PASSWORD
    66050,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD
    66064,Account: Enabled - DONT_EXPIRE_PASSWORD - LOCKOUT
    66066,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD - LOCKOUT
    66080,Account: Enabled - DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD
    66082,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD
    66176,Account: Enabled - DONT_EXPIRE_PASSWORD - ENCRYPTED_TEXT_PWD_ALLOWED
    131584,Account: Enabled - MNS_LOGON_ACCOUNT
    131586,Account: ACCOUNTDISABLE - MNS_LOGON_ACCOUNT
    131600,Account: Enabled - MNS_LOGON_ACCOUNT - LOCKOUT
    197120,Account: Enabled - MNS_LOGON_ACCOUNT - DONT_EXPIRE_PASSWORD
    532480,Account: SERVER_TRUST_ACCOUNT - TRUSTED_FOR_DELEGATION (Domain
    Controller)
    1049088,Account: Enabled - NOT_DELEGATED
    1049090,Account: ACCOUNTDISABLE - NOT_DELEGATED
    2097664,Account: Enabled - USE_DES_KEY_ONLY
    2687488,Account: Enabled - DONT_EXPIRE_PASSWORD - TRUSTED_FOR_DELEGATION -
    USE_DES_KEY_ONLY
    4194816,Account: Enabled - DONT_REQ_PREAUTH


    Jeremy



    "Tim Hines [MSFT]" <> wrote in message
    news:uInPqE$...
    > There is a sample script that does this at
    >

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG108.asp
    >
    > --
    > Tim Hines, MCSE, MCSA
    > Windows 2000 Directory Services
    >
    > =====================================================
    > When responding to posts, please "Reply to Group" via
    > your newsreader so that others may learn and benefit
    > from your issue.
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    > "" <> wrote in message
    > news:035901c3a3ef$141d1f70$...
    > > Is it possible to set a filter, use the find command, or
    > > run an LDAP query, to output only the user accounts that
    > > are disabled?
    > >
    > > Thanks in advance,
    > > Rob

    >
    >
     
    Jeremy, Nov 6, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.