Printout Header
RSS Feed

How to search and find disabled user accounts in Active Directory


We use the Active Directory attribute userAccountControl for this LDAP search. For disbled user accounts the flag bit UF_ACCOUNT_DISABLE (2) is set. The SelfADSI tutorial article about LDAP filters shows in detail how to search for single flags in such bit fields. For the general explanation of LDAP searches read the SelfADSI chapter 'Searching LDAP objects in the directory'.


Finding all disabled users in the own domain


This script finds all the disabled user accounts in the domain in which the current user is a member of:

ldapFilter = "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))" Set rootDSE = GetObject("LDAP://rootDSE") domainDN = rootDSE.Get("defaultNamingContext") Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & domainDN & ">;" & ldapFilter & _  ";distinguishedName,samAccountName,displayname,userPrincipalName;subtree") While Not objectList.EOF userDN = objectList.Fields("distinguishedName") logonName = objectList.Fields("samAccountName") On Error Resume Next displayName = "" : displayName = objectList.Fields("displayname") logonNameUPN = "" : logonNameUPN = objectList.Fields("userPrincipalName") On Error Goto 0 WScript.Echo logonName & ";" & logonNameUPN & ";" & displayName & ";" & userDN objectList.MoveNext Wend

Some notes according to this script:

The LDAP filter which is used here to find user acounts in general is (samAccountType=805306368). Note that this is more efficient and faster than the filter (&(objectCategory=person)(objectClass=user)) which is used more often.

When we want to read the attributes, there is a trick used to prevent runtime errors in case of non existing values. First we set the variable to an empty string, then we try to read the attribute value - the runtime error handling is deactivated for these commands. We don't need this for attributes which are always there. The separating colon (:) is used to execute the two VBScript commands in the same line:

... On Error Resume Next displayName = "" : displayName = objectList.Fields("displayname") On Error Goto 0

Finding all disabled users in any domain / OU


This script finds all disabled user accounts in the specified domain or OU. Use the suitable LDAP path for your desired domain or container. You could set also other credentials for the search (username and password specified):

searchDN = "DC=example,DC=com" 'insert your own search base container or domain name serverName = "192.168.0.66" 'insert your own DC's name or address userName = InputBox("Enter user name","Credentials") 'you could also just use a static username instead, like "EXAMPLE\userXYZ" password = InputBox("Enter password","Credentials") 'you could also just use a static password instead, like "P@ssw0rd" ldapFilter = "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))" Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Properties("User ID") = userName ado.Properties("Password") = password ado.Properties("Encrypt Password") = True ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & _  ";distinguishedName,samAccountName,displayname,userPrincipalName;subtree") While Not objectList.EOF userDN = objectList.Fields("distinguishedName") logonName = objectList.Fields("samAccountName") On Error Resume Next displayName = "" : displayName = objectList.Fields("displayname") logonNameUPN = "" : logonNameUPN = objectList.Fields("userPrincipalName") On Error Goto 0 WScript.Echo logonName & ";" & logonNameUPN & ";" & displayName & ";" & userDN objectList.MoveNext Wend
Tweet