Here's a fast way to determine any disabled user accounts in your Active Directory forest.
Disabled accounts are accounts that still exist in Active Directory but cannot be used to log on to the network. For example, when an employee moves on to a different company, a common practice is to disable the individual's user account instead of deleting it. That way, the account can be reassigned to the individual's replacement, renamed, and used to access all the resources the previous employee had permission to access. Sometimes, though, you might forget which accounts have been disabled on your network, and it would be nice to have a way to find all disabled accounts.
You can use this VBScript to do just that?locate all of the disabled accounts in Active Directory. This is useful for inventory purpose but also for security?for example, to verify that the Guest account and other vulnerable accounts are in fact still disabled on your network.
Simply type the script into Notepad (with Word Wrap turned off) and save it with a .vbs extension as DisabledAccounts.vbs:
Const ADS_UF_ACCOUNTDISABLE = 2 Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "<GC://dc=rootdomain,dc=com>;(objectCategory=User)" & _ ";userAccountControl,distinguishedName;subtree" Set objRecordSet = objCommand.Execute intCounter = 0 While Not objRecordset.EOF intUAC=objRecordset.Fields("userAccountControl") If intUAC AND ADS_UF_ACCOUNTDISABLE Then WScript.echo objRecordset.Fields("distinguishedName") & " is disabled" intCounter = intCounter + 1 End If objRecordset.MoveNext Wend WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled." objConnection.Close
Make sure you have the latest scripting engines on the workstation you run this script from. You can download the latest scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). Also, when working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.
To use the script, simply change this line to specify your own forest root domain:
"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _
For example, if your forest root domain is mtit.com, then the line should read:
"<GC://dc=mtit,dc=com>;(objectCategory=User)" & _
Then, run the script by creating a shortcut to it and double-clicking on the shortcut. The output of the script is a series of dialog boxes, an example of which is shown in Figure 3-2.