Recipe 6.13 Finding Disabled Users
6.13.1 Problem
You want to find disabled users in a domain.
6.13.2 Solution
6.13.2.1 Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
In the left pane, connect to the domain you want to query.
Right-click on the domain and select Find.
Beside Find, select Common Queries.
Check the box beside "disabled accounts."
Click the Find Now button.
6.13.2.2 Using a command-line interface
> dsquery user <DomainDN> -disabled
6.13.2.3 Using VBScript
' This code finds all disabled user accounts in a domain.
' ------ SCRIPT CONFIGURATION ------
strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
strBase = "<LDAP://" & strDomainDN & ">;"
strFilter = "(&(objectclass=user)(objectcategory=person)" & _
"(useraccountcontrol:1.2.840.113556.1.4.803:=2));"
strAttrs = "name;"
strScope = "subtree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wend
6.13.3 Discussion
Users in Active Directory can either be enabled or disabled. A disabled user cannot log in to the domain. Unlike account lockout, which is an automatic process that is based on the number of times a user incorrectly enters a password, an account has to be manually enabled or disabled.
All disabled user accounts have the bit that represents 2 (0010) set in their userAccountControl attribute. This doesn't mean that the attribute will be equal to 2, it just means that the bit that equals 2 will be enabledother bits may also be set. See Recipe 4.9 and Recipe 4.12 for a more detailed explanation of bit flags.
6.13.4 See Also
Recipe 6.12 for enabling and disabling users
