Find Disabled Users in Active Directory using VBScript

A Script to Find Disabled Users in Active Directory:  To see the Perl version of this script, click here, and click here to see the PowerShell version. The script uses our typical ADODB search code to search AD. The key, as always is the search filter. In this case, we're searching for disabled users. Unfortunately, there is no attribute that holds the enabled/disabled status of the user. Suprising. It turns out that the disabled status is stored as a bit in the useraccountcontrol attribute. This attribute contains a number that is made up of binary bits, each having a different meaning. You can look up the meaning of each bit on MSDN at

Anyway, the second bit (2) is the account disabled bit.

Microsoft has given us a way to make a search filter that can search against a bit in an attribute, called LDAP matching rules. They are specified by OID's (long ugly numbers). According to the Search Filter Syntax page (, 1.2.840.113556.1.4.803 is equivelant to a bitwise AND.

So here's the script. The search filter does a bitwise AND of the contents of the useraccountcontrol attribute and the number 2 (remember the 2 bit means disabled). So the script searches for everyone in your AD that has the 2 bit set (disabled users).

set dse = GetObject("LDAP://RootDSE")
root = dse.Get("RootDomainNamingContext")
base = "<GC://" & root & ">"
Set conn = CreateObject("ADODB.Connection")
Set comm = CreateObject("ADODB.Command")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set comm.ActiveConnection = conn
comm.Properties("Page Size") = 500
comm.CommandText = base & ";(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2));cn,displayName,distinguishedName;subtree"
Set rs = comm.Execute
Do Until rs.EOF
    Wscript.Echo rs.Fields(0).Value & " (" & rs.Fields(1).Value & ") " & rs.Fields(2).Value


Post a Comment

Related Posts Plugin for WordPress, Blogger...