A Script to Find Disabled Users in Active Directory: To see the Perl version of this script, click here, and click here to see the PowerShell version. The script uses our typical ADODB search code to search AD. The key, as always is the search filter. In this case, we're searching for disabled users. Unfortunately, there is no attribute that holds the enabled/disabled status of the user. Suprising. It turns out that the disabled status is stored as a bit in the useraccountcontrol attribute. This attribute contains a number that is made up of binary bits, each having a different meaning. You can look up the meaning of each bit on MSDN at http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspxAnyway, the second bit (2) is the account disabled bit.
Microsoft has given us a way to make a search filter that can search against a bit in an attribute, called LDAP matching rules. They are specified by OID's (long ugly numbers). According to the Search Filter Syntax page (http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx), 1.2.840.113556.1.4.803 is equivelant to a bitwise AND.
So here's the script. The search filter does a bitwise AND of the contents of the useraccountcontrol attribute and the number 2 (remember the 2 bit means disabled). So the script searches for everyone in your AD that has the 2 bit set (disabled users).
set dse = GetObject("LDAP://RootDSE")
root = dse.Get("RootDomainNamingContext")
base = "<GC://" & root & ">"
Set conn = CreateObject("ADODB.Connection")
Set comm = CreateObject("ADODB.Command")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set comm.ActiveConnection = conn
comm.Properties("Page Size") = 500
comm.CommandText = base & ";(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2));cn,displayName,distinguishedName;subtree" Set rs = comm.Execute
Do Until rs.EOF
Wscript.Echo rs.Fields(0).Value & " (" & rs.Fields(1).Value & ") " & rs.Fields(2).Value
rs.MoveNext
Loop
No comments:
Post a Comment