Hack 27 Get a List of Disabled Accounts

figs/moderate.gif figs/hack27.gif

Here's a fast way to determine any disabled user accounts in your Active Directory forest.

Disabled accounts are accounts that still exist in Active Directory but cannot be used to log on to the network. For example, when an employee moves on to a different company, a common practice is to disable the individual's user account instead of deleting it. That way, the account can be reassigned to the individual's replacement, renamed, and used to access all the resources the previous employee had permission to access. Sometimes, though, you might forget which accounts have been disabled on your network, and it would be nice to have a way to find all disabled accounts.

You can use this VBScript to do just that?locate all of the disabled accounts in Active Directory. This is useful for inventory purpose but also for security?for example, to verify that the Guest account and other vulnerable accounts are in fact still disabled on your network.

The Code

Simply type the script into Notepad (with Word Wrap turned off) and save it with a .vbs extension as DisabledAccounts.vbs:


Set objConnection = CreateObject("ADODB.Connection")

objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")

objCommand.ActiveConnection = objConnection

objCommand.CommandText = _

"<GC://dc=rootdomain,dc=com>;(objectCategory=User)" & _


Set objRecordSet = objCommand.Execute

intCounter = 0

While Not objRecordset.EOF



WScript.echo objRecordset.Fields("distinguishedName") & " is disabled"

intCounter = intCounter + 1

End If



WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled."


Make sure you have the latest scripting engines on the workstation you run this script from. You can download the latest scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). Also, when working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.

Running the Hack

To use the script, simply change this line to specify your own forest root domain:

"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _

For example, if your forest root domain is mtit.com, then the line should read:

"<GC://dc=mtit,dc=com>;(objectCategory=User)" & _

Then, run the script by creating a shortcut to it and double-clicking on the shortcut. The output of the script is a series of dialog boxes, an example of which is shown in Figure 3-2.

Figure 3-2. Displaying disabled domain user accounts

?Rod Trent