Bob said:
what object keeps track whether a User Account is Disabled/Enabled in
Active Directory? How would i extract this information from active
directory?
Thanks, Bob
Hi,
The userAccountControl attribute of the user object indicates whether the
account is disabled (among other things). A query for all disabled user
accounts would be (watch line wrapping):
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
The unusual syntax is to test one bit of userAccountControl, the bit that
indicates if the account is disabled. In ADUC on the View pulldown you can
select "Filter Options...", click on "Create custom filter", click the
"Customize..." button, then on the Advanced tab enter the LDAP query above.
After this, ADUC will only show disabled users.
You can also run a script that uses ADO to query for all disabled users and
return their names. For info on this, see this link:
http://www.rlmueller.net/ADOSearchTips.htm
For example, a VBScript program to display the NT names ("pre-Windows 2000
logon names") of all disabled user objects would be:
Option Explicit
Dim objCommand, objConnection, strBase, strFilter, strAttributes
Dim strQuery, objRecordset, strName
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
'Search entire domain.
strBase = "<LDAP://dc=MyDomain,dc=com>"
' Filter on disabled user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=2))"
' Retrieve NT Name of user accounts, the sAMAccountName attribute.
strAttributes = "sAMAccountName"
' Construct the query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
' Run the ADO query.
Set objRecordSet = objCommand.Execute
' Enumerate the resulting recordset.
Do Until objRecordSet.EOF
strName = objRecordSet.Fields("sAMAccountName").Value
Wscript.Echo "Disabled account: " & strName
objRecordSet.MoveNext
Loop
objConnection.Close