6.13. Finding Disabled Users

Problem

You want to find disabled users in a domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, connect to the domain you want to query.

  3. Right-click on the domain and select Find.

  4. Beside Find, select Common Queries.

  5. Check the box beside “disabled accounts.”

  6. Click the Find Now button.

Using a command-line interface

> dsquery user <DomainDN> -disabled

Using VBScript

' This code finds all disabled user accounts in a domain.
' ------ SCRIPT CONFIGURATION ------
strDomainDN = "<DomainDN>"    ' e.g. dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

strBase   = "<LDAP://" & strDomainDN & ">;"
strFilter = "(&(objectclass=user)(objectcategory=person)" & _ 
            "(useraccountcontrol:1.2.840.113556.1.4.803:=2));" 
strAttrs  = "name;"
strScope  = "subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value
    objRS.MoveNext
wend

Discussion

Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled.

All disabled user accounts have the bit that represents 2 (0010) set in their userAccountControl ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial