A PowerShell script to find disabled users in Active Directory: The script uses the typical System.DirectoryServices.DirectorySearcher code to search AD. The key, as always is the search filter. In this case, we're searching for disabled users. Unfortunately, there is no attribute that holds the enabled/disabled status of the user. Suprising. It turns out that the disabled status is stored as a bit in the useraccountcontrol attribute. This attribute contains a number that is made up of binary bits, each having a different meaning. You can look up the meaning of each bit on MSDN at http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx
Anyway, the second bit (2) is the account disabled bit.
Microsoft has given us a way to make a search filter that can search against a bit in an attribute, called LDAP matching rules. They are specified by OID's (long ugly numbers). According to the Search Filter Syntax page (http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx), 1.2.840.113522.214.171.1243 is equivelant to a bitwise AND.
So here's the script. The search filter does a bitwise AND of the contents of the useraccountcontrol attribute and the number 2 (remember the 2 bit means disabled). So the script searches for everyone in your AD that has the 2 bit set (disabled users).
- Backup DFS Namespaces Using PowerShell
- Translate Active Directory Name Formats Using PowerShell
- List Linux Users in Active Directory Using PowerShell
- Enable Trust for Delegation in Active Directory Using PowerShell
- TCP/IP Subnet Math with PowerShell - What AD Site is that Server in?
- List Sites and Subnets in Active Directory with PowerShell
- Find Disabled Users in Active Directory with PowerShell
- List Forest-wide Group Memberships with PowerShell
- Find Old Computer Accounts in AD with PowerShell
- List SPNs in Active Directory with PowerShell
- List Domain Controllers in Active Directory