1. Home
  2. Microsoft Products
  3. Windows Server Hack

Hack 27 Get a List of Disabled Accounts

figs/moderate.gif figs/hack27.gif

Here's a fast way to determine any disabled user accounts in your Active Directory forest.

Disabled accounts are accounts that still exist in Active Directory but cannot be used to log on to the network. For example, when an employee moves on to a different company, a common practice is to disable the individual's user account instead of deleting it. That way, the account can be reassigned to the individual's replacement, renamed, and used to access all the resources the previous employee had permission to access. Sometimes, though, you might forget which accounts have been disabled on your network, and it would be nice to have a way to find all disabled accounts.

You can use this VBScript to do just that?locate all of the disabled accounts in Active Directory. This is useful for inventory purpose but also for security?for example, to verify that the Guest account and other vulnerable accounts are in fact still disabled on your network.

The Code

Simply type the script into Notepad (with Word Wrap turned off) and save it with a .vbs extension as DisabledAccounts.vbs:

Const ADS_UF_ACCOUNTDISABLE = 2



Set objConnection = CreateObject("ADODB.Connection")

objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")

objCommand.ActiveConnection = objConnection

objCommand.CommandText = _

"<GC://dc=rootdomain,dc=com>;(objectCategory=User)" & _

";userAccountControl,distinguishedName;subtree" 

Set objRecordSet = objCommand.Execute



intCounter = 0

While Not objRecordset.EOF

intUAC=objRecordset.Fields("userAccountControl")

If intUAC AND ADS_UF_ACCOUNTDISABLE Then

WScript.echo objRecordset.Fields("distinguishedName") & " is disabled"

intCounter = intCounter + 1

End If

objRecordset.MoveNext

Wend



WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled."



objConnection.Close

Make sure you have the latest scripting engines on the workstation you run this script from. You can download the latest scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). Also, when working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.

Running the Hack

To use the script, simply change this line to specify your own forest root domain:

"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _

For example, if your forest root domain is mtit.com, then the line should read:

"<GC://dc=mtit,dc=com>;(objectCategory=User)" & _

Then, run the script by creating a shortcut to it and double-clicking on the shortcut. The output of the script is a series of dialog boxes, an example of which is shown in Figure 3-2.

Figure 3-2. Displaying disabled domain user accounts
figs/wsh_0302.gif

?Rod Trent



    		Windows Server Hacks
    		Credits
    		Foreword: I'm a Sci-Fi freak
    		Preface
    		Chapter 1. General Administration
    		Chapter 2. Active Directory
    		Chapter 3. User Management
    		Hacks #25-35
    		Hack 25 Search for Domain Users
    		Hack 26 Manage User Accounts in Active Directory
    		Hack 27 Get a List of Disabled Accounts
    		Hack 28 Get User Account Information
    		Hack 29 Check for Passwords that Never Expire
    		Hack 30 Enumerate Group Membership to a CSV File
    		Hack 31 Modify User Properties for All Users in a Particular OU
    		Hack 32 Check Group Membership and Map Drives in a Logon Script
    		Hack 33 Script Creation of a User's Home Directory and Permissions
    		Hack 34 Prevent Ordinary Users from Creating Local Accounts
    		Hack 35 Put a Logoff Icon on the Desktop
    		Chapter 4. Networking Services
    		Chapter 5. File and Print
    		Chapter 6. IIS
    		Chapter 7. Deployment
    		Chapter 8. Security
    		Chapter 9. Patch Management
    		Chapter 10. Backup and Recovery
    		Colophon