how to extract names of Disabled User Accounts

B

BwiseIT

what object keeps track whether a User Account is Disabled/Enabled in Active
Directory? How would i extract this information from active directory?

Thanks, Bob
 
R

Richard Mueller

Bob said:
what object keeps track whether a User Account is Disabled/Enabled in
Active Directory? How would i extract this information from active
directory?

Thanks, Bob
Click to expand...

Hi,

The userAccountControl attribute of the user object indicates whether the
account is disabled (among other things). A query for all disabled user
accounts would be (watch line wrapping):

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))



The unusual syntax is to test one bit of userAccountControl, the bit that
indicates if the account is disabled. In ADUC on the View pulldown you can
select "Filter Options...", click on "Create custom filter", click the
"Customize..." button, then on the Advanced tab enter the LDAP query above.
After this, ADUC will only show disabled users.



You can also run a script that uses ADO to query for all disabled users and
return their names. For info on this, see this link:



http://www.rlmueller.net/ADOSearchTips.htm



For example, a VBScript program to display the NT names ("pre-Windows 2000
logon names") of all disabled user objects would be:



Option Explicit

Dim objCommand, objConnection, strBase, strFilter, strAttributes

Dim strQuery, objRecordset, strName



Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection



'Search entire domain.
strBase = "<LDAP://dc=MyDomain,dc=com>"


' Filter on disabled user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=2))"



' Retrieve NT Name of user accounts, the sAMAccountName attribute.
strAttributes = "sAMAccountName"



' Construct the query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False



' Run the ADO query.
Set objRecordSet = objCommand.Execute


' Enumerate the resulting recordset.
Do Until objRecordSet.EOF
strName = objRecordSet.Fields("sAMAccountName").Value

Wscript.Echo "Disabled account: " & strName
objRecordSet.MoveNext
Loop



objConnection.Close
 
B

BwiseIT

Thank you very much, this is exactly what i am looking for, it is also a
great start to other queries i would like to use.

Thanks for taking the time to post, i look forward to looking over your
website and learning more about active directory scripting.
Bob
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Error Codes 1
Utility for extracting an OU from active directory 2
How can I report all inactive user accounts in Windows 2000 AD 10
ADUC offline and user accounts disabled 1
Anonymous Enumeration: a serious threat to Active Directory 12
Mass attribute change within AD user accounts 2
Deleted Accounts(E-mail Exchange) HELP!!! 5
Filtering User Objects - How To 1

Top