6.13. Finding Disabled Users
Problem
You want to find disabled users in a domain.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
In the left pane, connect to the domain you want to query.
Right-click on the domain and select Find.
Beside Find, select Common Queries.
Check the box beside “disabled accounts.”
Click the Find Now button.
Using a command-line interface
> dsquery user <DomainDN> -disabledUsing VBScript
' This code finds all disabled user accounts in a domain.
' ------ SCRIPT CONFIGURATION ------
strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
strBase = "<LDAP://" & strDomainDN & ">;"
strFilter = "(&(objectclass=user)(objectcategory=person)" & _
"(useraccountcontrol:1.2.840.113556.1.4.803:=2));"
strAttrs = "name;"
strScope = "subtree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wendDiscussion
Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled.
All disabled user accounts have the bit that represents 2 (0010) set
in their userAccountControl ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access