Query Disabled Date

[Kurt Levitan]

Is there a way to query when a user account was disabled?
I need to generate a list of all accounts that were disabled over 30 days
ago and then delete them.

Thanks!
- Kurt

 

[Ato Bisda]

You need to look at 2 fields: "userAccountControl" and "whenChanged"

A 0x2 in userAccountControl indicates a disabled account. "whenChanged"
should tell you when the account was disabled.

 

[KurtL]

Thank you for this information. However, I am not knowledgeable enough to
know how to use it. Is there a script that I would use to do the query?

 

[Ato Bisda]

The following vbscript code should be a good starting point. Make sure you
change the XXX, YYY, ZZZ to your specific base DN.
'------------------------------------------------------------------
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
cmdText =
"<LDAP://DC=XXX,DC=YYY,DC=ZZZ>;(objectCategory=person);sAMAccountName,userAc
countControl;subtree"
objCommand.CommandText = cmdText
Set rs = objCommand.Execute
While not rs.EOF
Wscript.echo rs("sAMAccountName"), Hex(rs("userAccountControl"))
rs.MoveNext
Wend
'-------------------------------------------------------------------
NOTE that disabled users will show up as having "2" as the last Hex digit in
userAccountControl

 

[Joe Richards [MVP]]

That is somewhat correct.

useraccountcontrol and 2 is correct for a disabled user, however the whenChanged
value could reflect a change other than that disable operation. If someone wants
to know for sure when useraccountcontrol was changed they need to look at
metadata and even then, you won't know if the last change was the disable or
something else to that attribute.

joe