6.13. Finding Disabled Users
Problem
You want to find disabled users in a domain.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
In the left pane, connect to the domain you want to query.
Right-click on the domain and select Find.
Beside Find, select Common Queries.
Check the box beside “disabled accounts.”
Click the Find Now button.
Using a command-line interface
> dsquery user <DomainDN
> -disabled
Using VBScript
' This code finds all disabled user accounts in a domain.
' ------ SCRIPT CONFIGURATION ------
strDomainDN = "<DomainDN
>" ' e.g. dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
strBase = "<LDAP://" & strDomainDN & ">;"
strFilter = "(&(objectclass=user)(objectcategory=person)" & _
"(useraccountcontrol:1.2.840.113556.1.4.803:=2));"
strAttrs = "name;"
strScope = "subtree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wend
Discussion
Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled.
All disabled user accounts have the bit that represents 2 (0010) set
in their userAccountControl ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.