Recipe 6.13 Finding Disabled Users

6.13.1 Problem

You want to find disabled users in a domain.

6.13.2 Solution Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, connect to the domain you want to query.

  3. Right-click on the domain and select Find.

  4. Beside Find, select Common Queries.

  5. Check the box beside "disabled accounts."

  6. Click the Find Now button. Using a command-line interface
> dsquery user <DomainDN> -disabled Using VBScript
' This code finds all disabled user accounts in a domain.
strDomainDN = "<DomainDN>"    ' e.g. dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

strBase   = "<LDAP://" & strDomainDN & ">;"
strFilter = "(&(objectclass=user)(objectcategory=person)" & _ 
strAttrs  = "name;"
strScope  = "subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
while Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value

6.13.3 Discussion

Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled.

All disabled user accounts have the bit that represents 2 (0010) set in their userAccountControl attribute. This doesn't mean that the attribute will be equal to 2, it just means that the bit that equals 2 will be enabledother bits may also be set. See Recipe 4.9 and Recipe 4.12 for a more detailed explanation of bit flags.

6.13.4 See Also

Recipe 6.12 for enabling and disabling users

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List