filter to show disabled accounts

R

rbrandon

Is it possible to set a filter, use the find command, or
run an LDAP query, to output only the user accounts that
are disabled?

Thanks in advance,
Rob
 
T

Tim Hines [MSFT]

There is a sample script that does this at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG108.asp

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Jeremy

You can also use csvde to export the useraccountcontrol values to a csv and
then join those values in access or SQL with a reference table.

Example Export:
Csvde -f C:\mbx_publicDelegates.csv -s dc1.domain.com -b user domain
P@$$word -u -d "DC=domain,DC=com" -r
"(&(objectClass=User)(ObjectCategory=Person))" -l "cn, distinguishedName,
sAMAccountName, userAccountControl, userPrincipalName, uSNChanged,
whenChanged, whenCreated"''

You can leave out the -u if you do not want Unicode, leave out the -b if you
are on a domain member machine, leave off the " " on the -l (attributes) if
you do not use spaces after the attribute names.

Reference Table: First line is the header row.

UserAccountControl_Num,Account_Status
512,Account: Enabled
514,Account: ACCOUNTDISABLE
528,Account: Enabled - LOCKOUT
530,Account: ACCOUNTDISABLE - LOCKOUT
544,Account: Enabled - PASSWD_NOTREQD
546,Account: ACCOUNTDISABLE - PASSWD_NOTREQD
560,Account: Enabled - PASSWD_NOTREQD - LOCKOUT
640,Account: Enabled - ENCRYPTED_TEXT_PWD_ALLOWED
2048,Account: INTERDOMAIN_TRUST_ACCOUNT
2080,Account: INTERDOMAIN_TRUST_ACCOUNT - PASSWD_NOTREQD
4096,Account: WORKSTATION_TRUST_ACCOUNT
8192,Account: SERVER_TRUST_ACCOUNT
66048,Account: Enabled - DONT_EXPIRE_PASSWORD
66050,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD
66064,Account: Enabled - DONT_EXPIRE_PASSWORD - LOCKOUT
66066,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD - LOCKOUT
66080,Account: Enabled - DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD
66082,Account: ACCOUNTDISABLE - DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD
66176,Account: Enabled - DONT_EXPIRE_PASSWORD - ENCRYPTED_TEXT_PWD_ALLOWED
131584,Account: Enabled - MNS_LOGON_ACCOUNT
131586,Account: ACCOUNTDISABLE - MNS_LOGON_ACCOUNT
131600,Account: Enabled - MNS_LOGON_ACCOUNT - LOCKOUT
197120,Account: Enabled - MNS_LOGON_ACCOUNT - DONT_EXPIRE_PASSWORD
532480,Account: SERVER_TRUST_ACCOUNT - TRUSTED_FOR_DELEGATION (Domain
Controller)
1049088,Account: Enabled - NOT_DELEGATED
1049090,Account: ACCOUNTDISABLE - NOT_DELEGATED
2097664,Account: Enabled - USE_DES_KEY_ONLY
2687488,Account: Enabled - DONT_EXPIRE_PASSWORD - TRUSTED_FOR_DELEGATION -
USE_DES_KEY_ONLY
4194816,Account: Enabled - DONT_REQ_PREAUTH


Jeremy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Display accounts wich belong to one group 8
LDAP Query to filter disabled account 0
LDAP Filters 11
UserAccountControl Attribute 9
Filtering User Objects - How To 1
AD cleanup 3
Find all disabled users 2
Windows 7 Active Directory question 3

Top